Search Results

wp-includes/ms-functions.php in the Multisite WordPress API in
WordPress before 4.7.1 does not properly choose random numbers for
keys, which makes it easier for remote attackers to bypass intended
access restrictions via a crafted (1) site signup or (2) user signup.

Multiple cross-site scripting (XSS) vulnerabilities in
wp-admin/update-core.php in WordPress before 4.7.1 allow remote
attackers to inject arbitrary web script or HTML via the (1) name or
(2) version header of a plugin.

The sock_setsockopt function in net/core/sock.c in the Linux kernel
before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf,
which allows local users to cause a denial of service (memory
corruption and system crash) or possibly have unspecified other impact
by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt
system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.

Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the
Linux kernel before 4.5.1 allow local users to cause a denial of
service (memory consumption) via crafted XFS filesystem operations.

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and
9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of
service (assertion failure and daemon exit) via a DNAME record in the
answer section of a response to a recursive query, related to db.c and
resolver.c.

The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial
of service (invalid pointer access and out-of-bounds read) or possibly
have unspecified other impact via an incorrect boolean element in a
wddxPacket XML document, leading to mishandling in a wddx_deserialize
call.

ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before
7.0.10 mishandles certain invalid objects, which allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via crafted serialized data that leads to a (1)
__destruct call or (2) magic method call.

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before
1.0.2i might allow remote attackers to cause a denial of service
(out-of-bounds read) via crafted certificate operations, related to
s3_clnt.c and s3_srvr.c.

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2
before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause
a denial of service (memory consumption) via large OCSP Status Request
extensions.

Multiple heap-based buffer overflows in the hiddev_ioctl_usage
function in drivers/hid/usbhid/hiddev.c in the Linux kernel through
4.6.3 allow local users to cause a denial of service or possibly have
unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)
HIDIOCSUSAGES ioctl call.

Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP
before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote
attackers to cause a denial of service (heap-based buffer overflow and
application crash) or possibly have unspecified other impact via a
crafted length value, related to the (1) mcrypt_generic and (2)
mdecrypt_generic functions.

Multiple integer overflows in the MDSS driver for the Linux kernel
3.x, as used in Qualcomm Innovation Center (QuIC) Android
contributions for MSM devices and other products, allow attackers to
cause a denial of service or possibly have unspecified other impact
via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and
mdss_rotator.c.

drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service
driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center
(QuIC) Android contributions for MSM devices and other products,
allows attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via a write request, as
demonstrated by a voice_svc_send_req buffer overflow.

Multiple unspecified vulnerabilities in Google Chrome before
53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux
allow attackers to cause a denial of service or possibly have other
impact via unknown vectors.

Multiple integer overflows in OpenJPEG, as used in PDFium in Google
Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92
on Linux, allow remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other impact
via crafted JPEG 2000 data that is mishandled during
opj_aligned_malloc calls in dwt.c and t1.c.

Multiple integer overflows in the opj_tcd_init_tile function in tcd.c
in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on
Windows and OS X and before 53.0.2785.92 on Linux, allow remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via crafted JPEG 2000 data.

Multiple heap-based buffer overflows in PDFium, as used in Google
Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92
on Linux, allow remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted JBig2 image.

Multiple integer overflows in the opj_tcd_init_tile function in tcd.c
in OpenJPEG, as used in PDFium in Google Chrome before 52.0.2743.116,
allow remote attackers to cause a denial of service (heap-based buffer
overflow) or possibly have unspecified other impact via crafted JPEG
2000 data.

phpMyAdmin before 4.6.2 places tokens in query strings and does not
arrange for them to be stripped before external navigation, which
allows remote attackers to obtain sensitive information by reading (1)
HTTP requests or (2) server logs.

The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt
implementations in the netfilter subsystem in the Linux kernel before
4.6.3 allow local users to gain privileges or cause a denial of
service (memory corruption) by leveraging in-container root access to
provide a crafted offset value that triggers an unintended decrement.

ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote
attackers to cause a denial of service (peer-variable clearing and
association outage) by sending (1) a spoofed crypto-NAK packet or (2)
a packet with an incorrect MAC value at a certain time.

The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10,
and watchOS before 3 allows attackers to execute arbitrary code in a
privileged context or cause a denial of service (memory corruption)
via a crafted app.

The WebKit Page Loading implementation in Apple iOS before 9.3.3,
Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site.

sound/core/timer.c in the Linux kernel through 4.6 does not initialize
certain r1 data structures, which allows local users to obtain
sensitive information from kernel stack memory via crafted use of the
ALSA timer interface, related to the (1) snd_timer_user_ccallback and
(2) snd_timer_user_tinterrupt functions.

The BPF subsystem in the Linux kernel before 4.5.5 mishandles
reference counts, which allows local users to cause a denial of
service (use-after-free) or possibly have unspecified other impact via
a crafted application on (1) a system with more than 32 Gb of memory,
related to the program reference count or (2) a 1 Tb system, related
to the map reference count.

The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before
5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate
IFD sizes, which allows remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via
crafted header data.

wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters
in passphrase parameters, which allows local users to trigger
arbitrary library loading and consequently gain privileges, or cause a
denial of service (daemon outage), via a crafted (1) SET, (2)
SET_CRED, or (3) SET_NETWORK command.

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files,
which allows remote attackers to cause a denial of service
(uninitialized pointer dereference) or possibly have unspecified other
impact via a crafted TAR archive.

ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and
7.x before 7.0.3 mishandles zero-length uncompressed data, which
allows remote attackers to cause a denial of service (heap memory
corruption) or possibly have unspecified other impact via a crafted
(1) TAR, (2) ZIP, or (3) PHAR archive.

Multiple integer overflows in the mbfl_strcut function in
ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x
before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via a crafted mb_strcut call.

The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
before 7.0.5 allows remote attackers to execute arbitrary code via a
crafted filename, as demonstrated by mishandling of \0 characters by
the phar_analyze_path function in ext/phar/phar.c.

Multiple unspecified vulnerabilities in the obs-service-extract_file
package before 0.3-5.1 in openSUSE Leap 42.1 and before 0.3-3.1 in
openSUSE 13.2 allow attackers to execute arbitrary commands via a
service definition, related to executing unzip with "illegal options."

Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows
physically proximate attackers to bypass the Factory Reset Protection
protection mechanism by accessing (1) an external tile from a system
application, (2) the help feature, or (3) the Settings application
during a pre-setup stage, aka internal bug 29194585.

Off-by-one error in server/wifi/anqp/VenueNameElement.java in Wi-Fi in
Android 6.x before 2016-10-01 and 7.0 before 2016-10-01 allows remote
attackers to cause a denial of service (reboot) via an access point
that provides a crafted (1) Venue Group or (2) Venue Type value, aka
internal bug 29464811.

Multiple buffer overflows in rtsp/ASessionDescription.cpp in
libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x
before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0
before 2016-09-01 allow remote attackers to cause a denial of service
(device hang or reboot) via a crafted media file, aka internal bug
25747670.

MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x
before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before
2016-07-01 does not check whether memory allocation succeeds, which
allows remote attackers to cause a denial of service (device hang or
reboot) via a crafted file, aka internal bug 28471206.

The sockets subsystem in Android 5.0.x before 5.0.2, 5.1.x before
5.1.1, and 6.x before 2016-07-01 allows attackers to gain privileges
via a crafted application that uses (1) the AF_MSM_IPC socket class or
(2) another socket class that is unrecognized by SELinux, aka internal
bug 28612709.

Multiple buffer overflows in libdex/OptInvocation.cpp in
DexClassLoader in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x
before 5.1.1, and 6.x before 2016-07-01 allow attackers to gain
privileges via a crafted application that provides a long filename,
aka internal bug 27840771.

Multiple unspecified vulnerabilities in Google V8 before 4.9.385.33,
as used in Google Chrome before 49.0.2623.108, allow attackers to
cause a denial of service or possibly have other impact via unknown
vectors.

Multiple integer overflows in php_zip.c in the zip extension in PHP
before 7.0.6 allow remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted call to (1) getFromIndex or (2)
getFromName in the ZipArchive class.

Multiple unspecified vulnerabilities in Google V8 before 4.9.385.26,
as used in Google Chrome before 49.0.2623.75, allow attackers to cause
a denial of service or possibly have other impact via unknown vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via vectors
related to Http2Session::Shutdown and SpdySession31::Shutdown, and
other vectors.

Mozilla Network Security Services (NSS) before 3.23, as used in
Mozilla Firefox before 47.0, allows remote attackers to cause a denial
of service (memory corruption and application crash) or possibly have
unspecified other impact via unknown vectors.

The treo_attach function in drivers/usb/serial/visor.c in the Linux
kernel before 4.5 allows physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a (1) bulk-in or (2) interrupt-in endpoint.

sound/core/timer.c in the Linux kernel before 4.4.1 retains certain
linked lists after a close or stop action, which allows local users to
cause a denial of service (system crash) via a crafted ioctl call,
related to the (1) snd_timer_close and (2) _snd_timer_stop functions.

wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser
in Wireshark 2.0.x before 2.0.2 does not ensure that a '\0' character
is present at the end of certain strings, which allows remote
attackers to cause a denial of service (stack-based buffer overflow
and application crash) via a crafted file.

Multiple integer overflows in the h264dec component in libstagefright
in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x
before 5.1.1, and 6.x before 2016-06-01 allow remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via a crafted media file that triggers a large memory
allocation, aka internal bug 27855419.

codecs/amrnb/dec/SoftAMR.cpp in libstagefright in mediaserver in
Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and
6.x before 2016-05-01 does not validate buffer sizes, which allows
attackers to gain privileges via a crafted application, as
demonstrated by obtaining Signature or SignatureOrSystem access, aka
internal bugs 27662364 and 27843673.

The create_fixed_stream_quirk function in sound/usb/quirks.c in the
snd-usb-audio driver in the Linux kernel before 4.5.1 allows
physically proximate attackers to cause a denial of service (NULL
pointer dereference or double free, and system crash) via a crafted
endpoints value in a USB device descriptor.

Integer signedness error in the MSM V4L2 video driver for the Linux
kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android
contributions for MSM devices and other products, allows attackers to
gain privileges or cause a denial of service (array overflow and
memory corruption) via a crafted application that triggers an
msm_isp_axi_create_stream call.

Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used
in Google Chrome before 48.0.2564.82, allow attackers to cause a
denial of service or possibly have other impact via crafted data, as
demonstrated by a buffer over-read resulting from an inverted length
check in hb-ot-font.cc, a different issue than CVE-2015-8947.

Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17,
as used in Google Chrome before 48.0.2564.82, allow attackers to cause
a denial of service or possibly have other impact via unknown vectors.

phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x
before 4.5.4 allows remote attackers to obtain sensitive information
via a crafted request, which reveals the full path in an error
message.

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices
before 2016-01-20 has a hardcoded password for the 1MB@tMaN account,
which makes it easier for remote attackers to obtain access via a (1)
SSH or (2) HTTP session, a different vulnerability than CVE-2015-8362.

Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange
function in Mozilla Network Security Services (NSS) before 3.21, as
used in Mozilla Firefox before 44.0, allows remote attackers to cause
a denial of service or possibly have unspecified other impact by
making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory
consumption.

Multiple race conditions in dom/media/systemservices/CamerasChild.cpp
in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows
might allow remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via unknown
vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 45.0 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via vectors related to
js/src/jit/arm/Assembler-arm.cpp, and unknown other vectors.

Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable
Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of
service (buffer overflow) or possibly have unspecified other impact
via a long string to a PR_*printf function.

The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network
Security Services (NSS) before 3.21, as used in Mozilla Firefox before
44.0, improperly divides numbers, which might make it easier for
remote attackers to defeat cryptographic protection mechanisms by
leveraging use of the (1) mp_div or (2) mp_exptmod function.

Multiple integer overflows in ext/standard/exec.c in PHP 7.x before
7.0.2 allow remote attackers to cause a denial of service or possibly
have unspecified other impact via a long string to the (1)
php_escape_shell_cmd or (2) php_escape_shell_arg function, leading to
a heap-based buffer overflow.

The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari
before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics
Drivers subsystem in Apple OS X before 10.11.5 allows attackers to
execute arbitrary code in a privileged context or cause a denial of
service (NULL pointer dereference and memory corruption) via a crafted
app.

Multiple integer overflows in the kernel in Apple iOS before 9.3, OS X
before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allow
attackers to execute arbitrary code in a privileged context via a
crafted app.

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X
before 10.11.4 allows attackers to execute arbitrary code in a
privileged context or cause a denial of service (memory corruption)
via a crafted app.

Blink, as used in Google Chrome before 51.0.2704.63, allows remote
attackers to bypass the Same Origin Policy by leveraging the
mishandling of Document reattachment during destruction, related to
FrameLoader.cpp and LocalFrame.cpp.

fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome
before 50.0.2661.75, does not properly implement the sycc420_to_rgb
and sycc422_to_rgb functions, which allows remote attackers to obtain
sensitive information from process memory or cause a denial of service
(out-of-bounds read) via crafted JPEG 2000 data in a PDF document.

Multiple integer signedness errors in the opj_j2k_update_image_data
function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome
before 49.0.2623.87, allow remote attackers to cause a denial of
service (incorrect cast and out-of-bounds write) or possibly have
unspecified other impact via crafted JPEG 2000 data.

pi.c in OpenJPEG, as used in PDFium in Google Chrome before
48.0.2564.109, does not validate a certain precision value, which
allows remote attackers to execute arbitrary code or cause a denial of
service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF
document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and
opj_pi_next_cprl functions.

libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1
LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted media file, related to libwebm/mkvparser.cpp and other files,
aka internal bug 23452792.

Multiple integer overflows in the (1) sycc422_to_rgb and (2)
sycc444_to_rgb functions in fxcodec/codec/fx_codec_jpx_opj.cpp in
PDFium, as used in Google Chrome before 48.0.2564.82, allow remote
attackers to cause a denial of service (out-of-bounds read) or
possibly have unspecified other impact via a crafted PDF document.

Multiple use-after-free vulnerabilities in the formfiller
implementation in PDFium, as used in Google Chrome before
48.0.2564.82, allow remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted PDF document,
related to improper tracking of the destruction of (1)
IPWL_FocusHandler and (2) IPWL_Provider objects.

Multiple stack-based buffer overflows in COM objects in Micro Focus
Rumba 9.4.x before 9.4 HF 13960 allow remote attackers to execute
arbitrary code via (1) the NetworkName property value to
ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll, (2) the CPName
property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll,
(3) the PrinterName property value to ProfileEditor.PrintPasteControl
in ProfEdit.dll, (4) the Data argument to the WriteRecords function in
FTXBIFFLib.AS400FtxBIFF in FtxBIFF.dll, (5) the Serialized property
value to NMSECCOMPARAMSLib.SSL3 in NMSecComParams.dll, (6) the
UserName property value to NMSECCOMPARAMSLib.FirewallProxy in
NMSecComParams.dll, (7) the LUName property value to
ProfileEditor.MFSNAControl in ProfEdit.dll, (8) the newVal argument to
the Load function in FTPSFTPLib.SFtpSession in FTPSFtp.dll, or (9) a
long Host field in the FTP Client.

The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1,
and 4.1.x through 4.6.x allows local PV guests to obtain sensitive
information, cause a denial of service, gain privileges, or have
unspecified other impact via a crafted page identifier (MFN) to the
(1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the
HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page
table updates.

EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 allows remote
authenticated users to bypass intended password-change restrictions by
leveraging access to (1) a different account with the same role as a
target account or (2) an account's session at an unattended
workstation.

libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before
5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via a crafted media file that triggers a large memory
allocation in the (1) SoftMPEG4Encoder or (2) SoftVPXEncoder
component, aka internal bug 25812794.

Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2
before 1.0.2g allow remote attackers to cause a denial of service
(heap memory corruption or NULL pointer dereference) or possibly have
unspecified other impact via a long digit string that is mishandled by
the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h
and crypto/bn/bn_print.c.

The (1) roaming_read and (2) roaming_write functions in
roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before
7.1p2, when certain proxy and forward options are enabled, do not
properly maintain connection file descriptors, which allows remote
servers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact by requesting many forwardings.

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a
certain Linux kernel backport in the linux package before
3.2.73-2+deb7u3 on Debian wheezy and the kernel package before
3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly
consider the side effects of failed __copy_to_user_inatomic and
__copy_from_user_inatomic calls, which allows local users to cause a
denial of service (system crash) or possibly gain privileges via a
crafted application, aka an "I/O vector array overrun." NOTE: this
vulnerability exists because of an incorrect fix for CVE-2015-1805.

The (1) core_enrol_get_course_enrolment_methods and (2)
enrol_self_get_instance_info web services in Moodle through 2.6.11,
2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and
3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses
capability, which allows remote authenticated users to obtain
sensitive information via a web-service request.

arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4
allows local users to gain privileges via a crafted (1) F_OFD_GETLK,
(2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system
call.

arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used
in the ION subsystem in Android and other products, does not
initialize certain data structures, which allows local users to obtain
sensitive information from kernel memory by triggering a dma_mmap
call.

The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x
before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding
without considering browser compatibility, which allows remote
attackers to conduct cross-site scripting (XSS) attacks against
Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20
mishandling in the header function.

The gdImageScaleTwoPass function in gd_interpolation.c in the GD
Graphics Library (aka libgd) before 2.2.0, as used in PHP before
5.6.12, uses inconsistent allocate and free approaches, which allows
remote attackers to cause a denial of service (memory consumption) via
a crafted call, as demonstrated by a call to the PHP imagescale
function.

Multiple race conditions in the ext4 filesystem implementation in the
Linux kernel before 4.5 allow local users to cause a denial of service
(disk corruption) by writing to a page that is associated with a
different user's file after unsynchronized hole punching and
page-fault handling.

The ngsniffer_process_record function in wiretap/ngsniffer.c in the
Sniffer file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before
2.0.1 does not validate the relationships between record lengths and
record header lengths, which allows remote attackers to cause a denial
of service (out-of-bounds read and application crash) via a crafted
file.

epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark
1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the
number of items, which allows remote attackers to cause a denial of
service (invalid read operation and application crash) via a crafted
packet.

The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in
the ANSI A dissector and (2) epan/dissectors/packet-gsm_a_common.c in
the GSM A dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before
2.0.1 improperly uses the tvb_bcd_dig_to_wmem_packet_str function,
which allows remote attackers to cause a denial of service (buffer
overflow and application crash) via a crafted packet.

epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark
1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the
frame pointer, which allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted
packet.

epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark
1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate
conversation data, which allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted
packet.

buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug
logging is enabled, allows remote attackers to cause a denial of
service (REQUIRE assertion failure and daemon exit, or daemon crash)
or possibly have unspecified other impact via (1) OPT data or (2) an
ECS option.

The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal
functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos
5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1
allow remote authenticated users to cause a denial of service (NULL
pointer dereference and daemon crash) by specifying KADM5_POLICY with
a NULL policy name.

The (1) pptp_bind and (2) pptp_connect functions in
drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify
an address length, which allows local users to obtain sensitive
information from kernel memory and bypass the KASLR protection
mechanism via a crafted application.

The F1BookView ActiveX control in F1 Bookview in Schneider Electric
ProClima before 6.2 allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted integer
value to the (1) AttachToSS, (2) CopyAll, (3) CopyRange, (4)
CopyRangeEx, or (5) SwapTable method, a different vulnerability than
CVE-2015-7918.

Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as
used in Google Chrome before 47.0.2526.80, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors, a
different issue than CVE-2015-8478.

The networking implementation in the Linux kernel through 4.3.3, as
used in Android and other products, does not validate protocol
identifiers for certain protocol families, which allows local users to
cause a denial of service (NULL function pointer dereference and
system crash) or possibly gain privileges by leveraging CLONE_NEWUSER
support to execute a crafted SOCK_RAW application.

The KEYS subsystem in the Linux kernel before 4.4 allows local users
to gain privileges or cause a denial of service (BUG) via crafted
keyctl commands that negatively instantiate a key, related to
security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and
security/keys/user_defined.c.

Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as
used in Google Chrome before 47.0.2526.73, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors.

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices
before 2015-10-12 has a hardcoded password for the BlackWidow account,
which makes it easier for remote attackers to obtain access via a (1)
SSH or (2) HTTP session, a different vulnerability than CVE-2016-1984.

The Frontel protocol before 3 on RSI Video Technologies Videofied
devices does not use integrity protection, which makes it easier for
man-in-the-middle attackers to (1) initiate a false alarm or (2)
deactivate an alarm by modifying the client-server data stream.

net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0
does not validate attempted changes to the MTU value, which allows
context-dependent attackers to cause a denial of service (packet loss)
via a value that is (1) smaller than the minimum compliant value or
(2) larger than the MTU of an interface, as demonstrated by a Router
Advertisement (RA) message that is not validated by a daemon, a
different vulnerability than CVE-2015-0272. NOTE: the scope of
CVE-2015-0272 is limited to the NetworkManager product.

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54,
1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before
1.6.19 allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
small bit-depth value in an IHDR (aka image header) chunk in a PNG
image.

Multiple integer overflows in the NDEF record parser in hostapd before
2.5 and wpa_supplicant before 2.5 allow remote attackers to cause a
denial of service (process crash or infinite loop) via a large payload
length field value in an (1) WPS or (2) P2P NFC NDEF record, which
triggers an out-of-bounds read.

Multiple integer overflows in the kernel mode driver for the NVIDIA
GPU graphics driver R340 before 341.92, R352 before 354.35, and R358
before 358.87 on Windows and R304 before 304.131, R340 before 340.96,
R352 before 352.63, and R358 before 358.16 on Linux allow local users
to obtain sensitive information, cause a denial of service (crash), or
possibly gain privileges via unknown vectors, which trigger
uninitialized or out of bounds memory access. NOTE: this identifier
has been SPLIT per ADT2 and ADT3 due to different vulnerability type
and affected versions. See CVE-2015-8328 for the vulnerability in the
NVAPI support layer in NVIDIA drivers for Windows.

Multiple unspecified vulnerabilities in Google V8 before 4.6.85.23, as
used in Google Chrome before 46.0.2490.71, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors.

Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b,
6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before
6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b,
6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20
before 6.3.0r21 allows remote attackers to obtain administrative
access by entering an unspecified password during a (1) SSH or (2)
TELNET session.

Tails before 1.7 includes the wget program but does not prevent
automatic fallback from passive FTP to active FTP, which allows remote
FTP servers to discover the Tor client IP address by reading a (1)
PORT or (2) EPRT command. NOTE: within wget itself, the automatic
fallback is not considered a vulnerability by CVE.

Multiple stack-based buffer overflows in the (1) send_dg and (2)
send_vc functions in the libresolv library in the GNU C Library (aka
glibc or libc6) before 2.23 allow remote attackers to cause a denial
of service (crash) or possibly execute arbitrary code via a crafted
DNS response that triggers a call to the getaddrinfo function with the
AF_UNSPEC or AF_INET6 address family, related to performing "dual
A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17,
6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7,
and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified
cookies in an https session, which makes it easier for remote
attackers to capture these cookies by intercepting their transmission
within an http session.

Multiple race conditions in the Advanced Union Filesystem (aufs)
aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x
and 4.x allow local users to cause a denial of service (use-after-free
and BUG) or possibly gain privileges via a (1) madvise or (2) msync
system call, related to mm/madvise.c and mm/msync.c.

The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and
7.x-6.x before 7.x-6.0 for Drupal does not properly check access
permissions, which allows remote authenticated users to post tweets to
arbitrary accounts by leveraging the (1) "post to twitter" permission
or change the options for arbitrary attached accounts by leveraging
the (2) "add twitter accounts" or (3) "add authenticated twitter
accounts" permission.

The (1) AddWeightedPathSegLists and (2)
SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox
before 42.0 and Firefox ESR 38.x before 38.4 lack status checking,
which allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a crafted
SVG document.

The VertexBufferInterface::reserveVertexSpace function in libGLES in
ANGLE, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x
before 38.3 on Windows, incorrectly allocates memory for shader
attribute arrays, which allows remote attackers to execute arbitrary
code or cause a denial of service (buffer overflow and application
crash) via crafted (1) OpenGL or (2) WebGL content.

The ProgramBinary::linkAttributes function in libGLES in ANGLE, as
used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3
on Windows, mishandles shader access, which allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via crafted (1) OpenGL or (2) WebGL content.

Notification Center in Apple iOS before 9.1 mishandles changes to
"Show on Lock Screen" settings, which allows physically proximate
attackers to obtain sensitive information by looking for a (1) Phone
or (2) Messages notification on the lock screen soon after a setting
was disabled.

Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x
before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to
execute arbitrary code via vectors related to (1) the Serializable
interface, (2) the SplObjectStorage class, and (3) the
SplDoublyLinkedList class, which are mishandled during
unserialization.

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in
FFmpeg before 2.7.2 does not initialize certain structure members,
which allows remote attackers to cause a denial of service (invalid
pointer access) or possibly have unspecified other impact via crafted
(1) RV30 or (2) RV40 RealVideo data.

Multiple integer underflows in the ff_mjpeg_decode_frame function in
libavcodec/mjpegdec.c in FFmpeg before 2.7.2 allow remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted MJPEG data.

The opj_dwt_decode_1* functions in dwt.c in OpenJPEG, as used in
PDFium in Google Chrome before 47.0.2526.73, allow remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000 data that is
mishandled during a discrete wavelet transform.

Multiple cross-site scripting (XSS) vulnerabilities in the Time
Tracker module 7.x-1.x before 7.x-1.4 for Drupal allow remote
authenticated users with certain permissions to inject arbitrary web
script or HTML via a (1) note added to a time entry or an (2) activity
used to categorize time tracker entries.

Basware Banking (Maksuliikenne) before 8.90.07.X relies on the client
to enforce (1) login verification, (2) audit trail creation, and (3)
account locking, which allows remote attackers to "disrupt
security-critical functions" by "dropping network traffic." NOTE: this
identifier was SPLIT from CVE-2015-0942 per ADT2 and ADT3 due to
different vulnerability type and different affected versions.

Multiple cross-site scripting (XSS) vulnerabilities in the
SemanticForms extension for MediaWiki allow remote attackers to inject
arbitrary web script or HTML via the (1) wpSummary parameter to
Special:FormEdit, the (2) "Template label (optional)" field in a form,
or a (3) Field name in a template.

libutils in Android through 5.1.1 LMY48M allows remote attackers to
execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4
file, as demonstrated by an attack against use of libutils by
libstagefright in Android 5.x.

Multiple unspecified vulnerabilities in Google V8 before 4.5.103.29,
as used in Google Chrome before 45.0.2454.85, allow attackers to cause
a denial of service or possibly have other impact via unknown vectors.

Multiple integer overflows in the evbuffer API in Libevent 2.0.x
before 2.0.22 and 2.1.x before 2.1.5-beta allow context-dependent
attackers to cause a denial of service or possibly have other
unspecified impact via "insanely large inputs" to the (1)
evbuffer_add, (2) evbuffer_prepend, (3) evbuffer_expand, (4)
exbuffer_reserve_space, or (5) evbuffer_read function, which triggers
a heap-based buffer overflow or an infinite loop. NOTE: this
identifier was SPLIT from CVE-2014-6272 per ADT3 due to different
affected versions.

conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that
the optional kernel modules are loaded before using them, which allows
remote attackers to cause a denial of service (crash) via a (1) DCCP,
(2) SCTP, or (3) ICMPv6 packet.

The (1) Service Provider (SP) and (2) Identity Provider (IdP) in
PicketLink before 2.7.0 does not ensure that the Destination attribute
in a Response element in a SAML assertion matches the location from
which the message was received, which allows remote attackers to have
unspecified impact via unknown vectors. NOTE: this identifier was
SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability
types.

The dissector-table implementation in epan/packet.c in Wireshark
1.12.x before 1.12.7 mishandles table searches for empty strings,
which allows remote attackers to cause a denial of service
(application crash) via a crafted packet, related to the (1)
dissector_get_string_handle and (2)
dissector_get_default_string_handle functions.

The web management interface on Mediabridge Medialink MWN-WAPR300N
devices with firmware 5.07.50 has a default password of admin for the
admin account and a default password of password for the medialink
account, which allows remote attackers to obtain administrative
privileges by leveraging a Wi-Fi session.

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, (4)
mdare64_52.sys, and (5) Fortishield.sys drivers in Fortinet
FortiClient before 5.2.4 do not properly restrict access to the API
for management of processes and the Windows registry, which allows
local users to obtain a privileged handle to a PID and possibly have
unspecified other impact, as demonstrated by a 0x2220c8 ioctl call.

The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows
local users to execute arbitrary code with kernel privileges by
setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl
call.

Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before
4.4.2 does not properly implement the DCE-RPC layer, which allows
remote attackers to perform protocol-downgrade attacks, cause a denial
of service (application crash or CPU consumption), or possibly execute
arbitrary code on a client system via unspecified vectors.

The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux
kernel before 4.0.6 provide inappropriate -EAGAIN return values, which
allows remote attackers to cause a denial of service (EPOLLET epoll
application read outage) via an incorrect checksum in a UDP packet, a
different vulnerability than CVE-2015-5364.

The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux
kernel before 4.0.6 do not properly consider yielding a processor,
which allows remote attackers to cause a denial of service (system
hang) via incorrect checksums within a UDP packet flood.

Multiple cross-site scripting (XSS) vulnerabilities in the survey
module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before
2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to
inject arbitrary web script or HTML by leveraging the student role and
entering a crafted survey answer.

ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before
4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string
lengths, which allows remote attackers to obtain sensitive information
from daemon heap memory by sending crafted packets and then reading
(1) an error message or (2) a database value.

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and
1.8.x before 1.8.3 uses an incorrect regular expression, which allows
remote attackers to inject arbitrary headers and conduct HTTP response
splitting attacks via a newline character in an (1) email message to
the EmailValidator, a (2) URL to the URLValidator, or unspecified
vectors to the (3) validate_ipv4_address or (4) validate_slug
validator.

Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix
GeniXCMS 0.0.3 allow remote attackers to inject arbitrary web script
or HTML via the (1) content or (2) title field in an add action in the
posts page to index.php or the (3) q parameter in the posts page to
index.php.

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does
not ensure that pathnames lack %00 sequences, which might allow remote
attackers to read or write to arbitrary files via crafted input to an
application that calls (1) a DOMDocument save method or (2) the GD
imagepsloadfont function, as demonstrated by a filename\0.html attack
that bypasses an intended configuration in which client users may
write to only .html files.

The ConvertDialogOptions function in Mozilla Firefox before 41.0 and
Firefox ESR 38.x before 38.3 might allow remote attackers to cause a
denial of service (memory corruption and application crash) or
possibly have unspecified other impact via unknown vectors.

NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x
before 38.3 might allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly have unspecified
other impact via unknown vectors.

The js::jit::AssemblerX86Shared::lock_addl function in the JavaScript
implementation in Mozilla Firefox before 40.0 and Firefox ESR 38.x
before 38.2 allows remote attackers to cause a denial of service
(application crash) by leveraging the use of shared memory and
accessing (1) an Atomics object or (2) a SharedArrayBuffer object.

Multiple integer overflows in the search_chunk function in chmd.c in
libmspack before 0.5 allow remote attackers to cause a denial of
service (buffer over-read and application crash) via a crafted CHM
file.

The EAP-pwd server and peer implementation in hostapd and
wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a
denial of service (out-of-bounds read and crash) via a crafted (1)
Commit or (2) Confirm message payload.

FragmentListener in the HttpKernel component in Symfony 2.3.19 through
2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through
2.6.7, when ESI or SSI support enabled, does not check if the
_controller attribute is set, which allows remote attackers to bypass
URL signing and security rules by including (1) no hash or (2) an
invalid hash in a request to /_fragment.

PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
truncates a pathname upon encountering a \x00 character in certain
situations, which allows remote attackers to bypass intended extension
restrictions and access files or directories with unexpected names via
a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or
(4) readlink. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2006-7243.

The OZWPAN driver in the Linux kernel through 4.0.5 relies on an
untrusted length field during packet parsing, which allows remote
attackers to obtain sensitive information from kernel memory or cause
a denial of service (out-of-bounds read and system crash) via a
crafted packet.

drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux
kernel through 4.0.5 does not ensure that certain length values are
sufficiently large, which allows remote attackers to cause a denial of
service (system crash or large loop) or possibly execute arbitrary
code via a crafted packet, related to the (1) oz_usb_rx and (2)
oz_usb_handle_ep_data functions.

Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as
used in Google Chrome before 43.0.2357.65, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors.

The Region_createFromParcel function in
core/jni/android/graphics/Region.cpp in Region in Android before 5.1.1
LMY48M does not check the return values of certain read operations,
which allows attackers to execute arbitrary code via an application
that sends a crafted message to a service, aka internal bug 21585255.

The (1) dissect_tfs_request and (2) dissect_tfs_response functions in
epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in
Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 interpret a
zero value as a length rather than an error condition, which allows
remote attackers to cause a denial of service (infinite loop) via a
crafted packet.

Multiple memory leaks in the x11_init_protocol function in
epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x
before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to
cause a denial of service (memory consumption) via a crafted packet.

The Content Security Policy implementation in WebKit in Apple Safari
before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS
before 8.4.1 and other products, does not properly restrict cookie
transmission for report requests, which allows remote attackers to
obtain sensitive information via vectors involving (1) a cross-origin
request or (2) a private-browsing request.

Multiple buffer overflows in the printf functionality in SQLite, as
used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via unspecified vectors.

The FireWire driver in IOFireWireFamily in Apple OS X before 10.10.4
allows attackers to execute arbitrary code in a privileged context or
cause a denial of service (NULL pointer dereference) via a crafted
app.

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and
earlier and KVM, allows local guest users to cause a denial of service
(out-of-bounds write and guest crash) or possibly execute arbitrary
code via the (1) FD_CMD_READ_ID, (2)
FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka
VENOM.

The _clone function in XML::LibXML before 2.0119 does not properly set
the expand_entities option, which allows remote attackers to conduct
XML external entity (XXE) attacks via crafted XML data to the (1) new
or (2) load_xml function.

Multiple cross-site scripting (XSS) vulnerabilities in WordPress
before 4.1.2, when MySQL is used without strict mode, allow remote
attackers to inject arbitrary web script or HTML via a (1) four-byte
UTF-8 character or (2) invalid character that reaches the database
layer, as demonstrated by a crafted character in a comment.

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does
not ensure that pathnames lack %00 sequences, which might allow remote
attackers to read or write to arbitrary files via crafted input to an
application that calls (1) a DOMDocument load method, (2) the
xmlwriter_open_uri function, (3) the finfo_file function, or (4) the
hash_hmac_file function, as demonstrated by a filename\0.xml attack
that bypasses an intended configuration in which client users may read
only .xml files.

Multiple open redirect vulnerabilities in the Tadaa! module before
7.x-1.4 for Drupal allow remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in a
destination parameter, related to callbacks that (1) enable and
disable modules or (2) change variables.

Multiple unspecified vulnerabilities in Google V8 before 4.2.77.14, as
used in Google Chrome before 42.0.2311.90, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors.

libreswan 3.9 through 3.12 allows remote attackers to cause a denial
of service (daemon restart) via an IKEv1 packet with (1) unassigned
bits set in the IPSEC DOI value or (2) the next payload value set to
ISAKMP_NEXT_SAK.

fusermount in FUSE before 2.9.3-15 does not properly clear the
environment before invoking (1) mount or (2) umount as root, which
allows local users to write to arbitrary files via a crafted
LIBMOUNT_MTAB environment variable that is used by mount's debugging
feature.

The Montgomery squaring implementation in
crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the
x86_64 platform, as used by the BN_mod_exp function, mishandles carry
propagation and produces incorrect output, which makes it easier for
remote attackers to obtain sensitive private-key information via an
attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman
Ephemeral (DHE) ciphersuite.

The invokeNextValve function in
identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in
PicketLink before 2.8.0.Beta1 does not properly check role based
authorization, which allows remote authenticated users to gain access
to restricted application resources via a (1) direct request or (2)
request through an SP initiated flow.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before
1.24.2, when using HHVM, allows remote attackers to cause a denial of
service (CPU and memory consumption) via a large number of nested
entity references in an (1) SVG file or (2) XMP metadata in a PDF
file, aka a "billion laughs attack," a different vulnerability than
CVE-2015-2937.

Actiontec GT784WN modems with firmware before NCS01-1.0.13 have
hardcoded credentials, which makes it easier for remote attackers to
obtain root access by connecting to the web administration interface.

The FileInfo plugin before 2.22 for Ghisler Total Commander allows
remote attackers to cause a denial of service (out-of-bounds read and
application crash) via (1) a large Size value in the Archive Member
Header of a COFF Archive Library file, (2) a large Number Of Symbols
value in the 1st Linker Member of a COFF Archive Library file, (3) a
large Resource Table Count value in the LE Header of a Linear
Executable file, or (4) a large value in a certain Object field in a
Resource Table Entry in a Linear Executable file.

arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not
prevent the TS_COMPAT flag from reaching a user-mode task, which might
allow local users to bypass the seccomp or audit protection mechanism
via a crafted application that uses the (1) fork or (2) close system
call, as demonstrated by an attack against seccomp before 3.16.

Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow
remote attackers to cause a denial of service (memory corruption and
crash) via a crafted (1) Ubyte Size in a DataSubBlock structure or (2)
LZWMinimumCodeSize in a GIF image.

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict
access to PCI command registers, which might allow local HVM guest
users to cause a denial of service (non-maskable interrupt and host
crash) by disabling the (1) memory or (2) I/O decoding for a PCI
Express device and then accessing the device, which triggers an
Unsupported Request (UR) response.

Multiple cross-site scripting (XSS) vulnerabilities in the Search app
in Gaia in Mozilla Firefox OS before 2.2 allow remote attackers to
inject arbitrary HTML via the (1) name or (2) title field in card
content associated with a search link that is mishandled after a HOME
button press or a Show Windows action, as demonstrated by embedding an
arbitrary application or spoofing the account-creation page.

Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and
Thunderbird before 38.1 do not enforce key pinning upon encountering
an X.509 certificate problem that generates a user dialog, which
allows user-assisted man-in-the-middle attackers to bypass intended
access restrictions by triggering a (1) expired certificate or (2)
mismatched hostname for a domain with pinning enabled.

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x
before 1.13.2 do not properly track whether a client's request has
been validated, which allows remote attackers to bypass an intended
preauthentication requirement by providing (1) zero bytes of data or
(2) an arbitrary realm name, related to plugins/preauth/otp/main.c and
plugins/preauth/pkinit/pkinit_srv.c.

net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate
certain range data for (1) sendto and (2) recvfrom system calls, which
allows local users to gain privileges by leveraging a subsystem that
uses the copy_from_iter function in the iov_iter interface, as
demonstrated by the Bluetooth subsystem.

The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8
engines, as used in Internet Explorer 8 through 11 and other products,
allow remote attackers to execute arbitrary code or cause a denial of
service (memory corruption) via a crafted replace operation with a
JavaScript regular expression, aka "Scripting Engine Memory Corruption
Vulnerability."

Multiple SQL injection vulnerabilities in
admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast
plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for
WordPress allow remote authenticated users to execute arbitrary SQL
commands via the (1) order_by or (2) order parameter in the
wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be
leveraged using CSRF to allow remote attackers to execute arbitrary
SQL commands.

The remove_bad_chars function in utils/cups-browsed.c in cups-filters
before 1.0.66 allows remote IPP printers to execute arbitrary commands
via consecutive shell metacharacters in the (1) model or (2) PDL.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-2707.

Google Chrome before 41.0.2272.76, when Instant Extended mode is used,
does not properly consider the interaction between the "1993 search"
features and restore-from-disk RELOAD transitions, which makes it
easier for remote attackers to spoof the address bar for a
search-results page by leveraging (1) a compromised search engine or
(2) an XSS vulnerability in a search engine, a different vulnerability
than CVE-2015-1231.

Multiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as
used in Google Chrome before 41.0.2272.76, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors.

epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x
before 1.10.13 and 1.12.x before 1.12.4 does not properly initialize a
data structure, which allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) via a crafted
packet that is improperly handled during decompression.

The dissect_atn_cpdlc_heur function in
asn1/atn-cpdlc/packet-atn-cpdlc-template.c in the ATN-CPDLC dissector
in Wireshark 1.12.x before 1.12.4 does not properly follow the
TRY/ENDTRY code requirements, which allows remote attackers to cause a
denial of service (stack memory corruption and application crash) via
a crafted packet.

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY
0.51 through 0.63 do not properly wipe SSH-2 private keys from memory,
which allows local users to obtain sensitive information by reading
the memory.

The osi_print_cksum function in print-isoclns.c in the ethernet
printer in tcpdump before 4.7.2 allows remote attackers to cause a
denial of service (out-of-bounds read and crash) via a crafted (1)
length, (2) offset, or (3) base pointer checksum value.

Xen 4.5.x and earlier enables certain default backends when emulating
a VGA device for an x86 HVM guest qemu even when the configuration
disables them, which allows local guest users to obtain access to the
VGA console by (1) setting the DISPLAY environment variable, when
compiled with SDL support, or connecting to the VNC server on (2) ::1
or (3) 127.0.0.1, when not compiled with SDL support.

Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not
properly restrict access to PCI command registers, which might allow
local guest OS users to cause a denial of service (non-maskable
interrupt and host crash) by disabling the (1) memory or (2) I/O
decoding for a PCI Express device and then accessing the device, which
triggers an Unsupported Request (UR) response.

HP TippingPoint Security Management System (SMS) and TippingPoint
Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2
before patch 1 do not require authentication for JBoss RMI requests,
which allows remote attackers to execute arbitrary code by (1)
uploading this code within an archive or (2) instantiating a class.

Multiple buffer overflows in WebGate Embedded Standard Protocol (WESP)
SDK allow remote attackers to execute arbitrary code via unspecified
vectors to the (1) LoadImage or (2) LoadImageEx function in the
WESPMonitor.WESPMonitorCtrl.1 control, (3) ChangePassword function in
the WESPCONFIGLib.UserItem control, Connect function in the (4)
WESPSerialPort.WESPSerialPortCtrl.1 or (5)
WESPPLAYBACKLib.WESPPlaybackCtrl control, or (6) AddID function in the
WESPCONFIGLib.IDList control or a (7) long string to the second
argument to the ConnectEx3 function in the
WESPPLAYBACKLib.WESPPlaybackCtrl control.

IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does
not set the secure flag for unspecified cookies in an https session,
which makes it easier for remote attackers to capture these cookies by
intercepting their transmission within an http session.

Heap-based buffer overflow in chrony before 1.31.1 allows remote
authenticated users to cause a denial of service (chronyd crash) or
possibly execute arbitrary code by configuring the (1) NTP or (2)
cmdmon access with a subnet size that is indivisible by four and an
address with a nonzero bit in the subnet remainder.

The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont
before 1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users
to cause a denial of service (out-of-bounds write and crash) or
possibly execute arbitrary code via a (1) negative or (2) large
property count in a BDF font file.

The stack randomization feature in the Linux kernel before 3.19.1 on
64-bit platforms uses incorrect data types for the results of bitwise
left-shift operations, which makes it easier for attackers to bypass
the ASLR protection mechanism by predicting the address of the top of
the stack, related to the randomize_stack_top function in
fs/binfmt_elf.c and the stack_maxrandom_size function in
arch/x86/mm/mmap.c.

The AppWidgetServiceImpl implementation in
com/android/server/appwidget/AppWidgetServiceImpl.java in the Settings
application in Android before 5.1.1 LMY48I allows attackers to obtain
a URI permission via an application that sends an Intent with a (1)
FLAG_GRANT_READ_URI_PERMISSION or (2) FLAG_GRANT_WRITE_URI_PERMISSION
flag, as demonstrated by bypassing intended restrictions on reading
contacts, aka internal bug 19618745.

Persistent Systems Radia Client Automation does not properly restrict
access to certain request, which allows remote attackers to (1)
enumerate user accounts via a getUsers request, (2) assign a role to a
user account via an addAssigneesToRole request, (3) remove a role from
a user account via a removeAssigneesFromRole request, or (4) have
other unspecified impact.

Multiple integer overflows in the GraphicBuffer::unflatten function in
platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android
through 5.0 allow attackers to gain privileges or cause a denial of
service (memory corruption) via vectors that trigger a large number of
(1) file descriptors or (2) integer values.

Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the
slony PostgreSQL user and (2) www-data for the www-data PostgreSQL
user, which makes it easier for remote attackers to obtain access via
unspecified vectors.

Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium,
as used in Google Chrome before 40.0.2214.91, allow remote attackers
to cause a denial of service (buffer overflow) or possibly have
unspecified other impact via a crafted PDF document, related to an
"intra-object-overflow" issue, a different vulnerability than
CVE-2015-1205.

The remote-management module in the (1) Multi Panels, (2) Comfort
Panels, and (3) RT Advanced functionality in Siemens SIMATIC WinCC
(TIA Portal) before 13 SP1 and in the (4) panels and (5) runtime
functionality in SIMATIC WinCC flexible before 2008 SP3 Up7 does not
properly encrypt credentials in transit, which makes it easier for
remote attackers to determine cleartext credentials by sniffing the
network and conducting a decryption attack.

Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15,
as used in Google Chrome before 40.0.2214.91, allow attackers to cause
a denial of service or possibly have other impact via unknown vectors.

kernel_crashdump in Apport before 2.19 allows local users to cause a
denial of service (disk consumption) or possibly gain privileges via a
(1) symlink or (2) hard link attack on /var/crash/vmcore.log.

attach.c in LXC 1.1.2 and earlier uses the proc filesystem in a
container, which allows local container users to escape AppArmor or
SELinux confinement by mounting a proc filesystem with a crafted (1)
AppArmor profile or (2) SELinux label.

object-observe.js in Google V8, as used in Google Chrome before
45.0.2454.101, does not properly restrict method calls on
access-checked objects, which allows remote attackers to bypass the
Same Origin Policy via a (1) observe or (2) getNotifier call.

The WebRequest API implementation in
extensions/browser/api/web_request/web_request_api.cc in Google Chrome
before 45.0.2454.85 does not properly consider a request's source
before accepting the request, which allows remote attackers to bypass
intended access restrictions via a crafted (1) app or (2) extension.

Multiple use-after-free vulnerabilities in the PrintWebViewHelper
class in components/printing/renderer/print_web_view_helper.cc in
Google Chrome before 45.0.2454.85 allow user-assisted remote attackers
to cause a denial of service or possibly have unspecified other impact
by triggering nested IPC messages during preparation for printing, as
demonstrated by messages associated with PDF documents in conjunction
with messages about printer capabilities.

Multiple integer overflows in the XML_GetBuffer function in Expat
through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other
products, allow remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other impact
via crafted XML data, a related issue to CVE-2015-2716.

Multiple use-after-free vulnerabilities in
fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google
Chrome before 44.0.2403.89, allow remote attackers to cause a denial
of service or possibly have unspecified other impact via a crafted PDF
document, related to the (1) Document::delay and (2)
Document::DoFieldDelay functions.

Blink, as used in Google Chrome before 43.0.2357.130, does not
properly restrict the creation context during creation of a DOM
wrapper, which allows remote attackers to bypass the Same Origin
Policy via crafted JavaScript code that uses a Blink public API,
related to WebArrayBufferConverter.cpp, WebBlob.cpp, WebDOMError.cpp,
and WebDOMFileSystem.cpp.

Multiple use-after-free vulnerabilities in
content/renderer/media/user_media_client_impl.cc in the WebRTC
implementation in Google Chrome before 43.0.2357.65 allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via crafted JavaScript code that executes upon completion
of a getUserMedia request.

The SearchEngineTabHelper::OnPageHasOSDD function in
browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome
before 42.0.2311.90 does not prevent use of a file: URL for an
OpenSearch descriptor XML document, which might allow remote attackers
to obtain sensitive information from local files via a crafted (1)
http or (2) https web site.

Multiple use-after-free vulnerabilities in
core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as
used in Google Chrome before 41.0.2272.76, allow remote attackers to
cause a denial of service or possibly have unspecified other impact
via vectors that trigger extraneous change events, as demonstrated by
events for invalid input or input to read-only fields, related to the
initializeTypeInParsing and updateType functions.

Multiple use-after-free vulnerabilities in the
ServiceWorkerScriptCacheMap implementation in
content/browser/service_worker/service_worker_script_cache_map.cc in
Google Chrome before 41.0.2272.76 allow remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver
call, related to the NotifyStartedCaching and NotifyFinishedCaching
functions.

Multiple use-after-free vulnerabilities in the DOM implementation in
Blink, as used in Google Chrome before 41.0.2272.76, allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors that trigger movement of a SCRIPT element to
different documents, related to (1) the
HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp and (2) the
SVGScriptElement::didMoveToNewDocument function in
core/svg/SVGScriptElement.cpp.

Multiple unspecified vulnerabilities in Google Chrome before
40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on
Android allow attackers to cause a denial of service or possibly have
other impact via unknown vectors.

CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause
a denial of service (reboot and messaging disruption) via crafted
Unicode text that is not properly handled during display truncation in
the Notifications feature, as demonstrated by Arabic characters in (1)
an SMS message or (2) a WhatsApp message.

The (1) setreuid and (2) setregid system-call implementations in the
kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple
TV before 7.2 do not properly perform privilege drops, which makes it
easier for attackers to execute code with unintended user or group
privileges via a crafted app.

Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow
remote attackers to have unspecified impact via vectors related to (1)
the unmap function in list.c or (2) "two additional unconfirmed
use-after-free complaints made by Coverity scan." NOTE: some of these
details are obtained from third party information.

Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and
earlier allow remote attackers to cause a denial of service (heap
memory corruption) via vectors related to the height and width of a
window.

Multiple untrusted search path vulnerabilities in updater.exe in
Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and
Thunderbird before 31.5 on Windows, when the Maintenance Service is
not used, allow local users to gain privileges via a Trojan horse DLL
in (1) the current working directory or (2) a temporary directory, as
demonstrated by bcrypt.dll.

Cisco DTA Control System (DTACS) 4.0.0.9 and Cisco Headend System
Release allow remote attackers to cause a denial of service (CPU and
memory consumption, and TCP service outage) via (1) a SYN flood or (2)
another type of TCP traffic flood, aka Bug IDs CSCus50642, CSCus50662,
CSCus50625, CSCus50657, and CSCus68315.

Multiple race conditions in drivers/char/adsprpc.c and
drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux
kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android
contributions for MSM devices and other products, allow attackers to
cause a denial of service (zero-value write) or possibly have
unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl
call.

epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark
1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect
length value for certain string-append operations, which allows remote
attackers to cause a denial of service (application crash) via a
crafted packet.

Multiple use-after-free vulnerabilities in
epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol
dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3
allow remote attackers to cause a denial of service (application
crash) via a crafted packet, related to the use of packet-scope memory
instead of pinfo-scope memory.

The dissect_wccp2r1_address_table_info function in
epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark
1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize
certain data structures, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet.

Multiple use-after-free vulnerabilities in
epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark
1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers
to cause a denial of service (application crash) via a crafted packet,
related to the use of packet-scope memory instead of pinfo-scope
memory.

Buffer overflow in the XnsSdkDeviceIpInstaller.ocx ActiveX control in
Samsung iPOLiS Device Manager 1.12.2 allows remote attackers to
execute arbitrary code via a long string in the first argument to the
(1) ReadConfigValue or (2) WriteConfigValue function.

The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with
firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the
web interface, which allows remote attackers to obtain sensitive
information or cause a denial of service (device restart) as
demonstrated by a direct request to (1) wlsecurity.html or (2)
resetrouter.html.

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before
1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly
handle a lack of outer ContentInfo, which allows attackers to cause a
denial of service (NULL pointer dereference and application crash) by
leveraging an application that processes arbitrary PKCS#7 data and
providing malformed data with ASN.1 encoding, related to
crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

The slapi-nis plug-in before 0.54.2 does not properly reallocate
memory when processing user accounts, which allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a
request for a (1) group with a large number of members or (2) user
that belongs to a large number of groups.

The XFS implementation in the Linux kernel before 3.15 improperly uses
an old size value during remote attribute replacement, which allows
local users to cause a denial of service (transaction overrun and data
corruption) or possibly gain privileges by leveraging XFS filesystem
access.

IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5
through FP5 on Linux, UNIX, and Windows allows remote authenticated
users to cause a denial of service (daemon crash) by leveraging an
unspecified scalar function in a SQL statement.

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey
Authentication is enabled, allows remote attackers to obtain sensitive
information from process memory or cause a denial of service (daemon
crash) via a packet containing an extension field with an invalid
value for the length of its value field.

Cross-site scripting (XSS) vulnerability in the Rules Link module
7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users
with the "administer rules links" permission to inject arbitrary web
script or HTML via unspecified vectors, which are not properly handled
in the (1) question and (2) description strings in a confirmation form
for a triggering Rules link.

The UDF filesystem implementation in the Linux kernel before 3.18.2
does not ensure that space is available for storing a symlink target's
name along with a trailing \0 character, which allows local users to
obtain sensitive information via a crafted filesystem image, related
to fs/udf/symlink.c and fs/udf/unicode.c.

The UDF filesystem implementation in the Linux kernel before 3.18.2
does not validate certain lengths, which allows local users to cause a
denial of service (buffer over-read and system crash) via a crafted
filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.

The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in
QEMU 1.0 through 2.1.3 have multiple interpretations of a function's
return value, which allows guest OS users to cause a host OS denial of
service (memory consumption or infinite loop, and system crash) via a
PRDT with zero complete sectors, related to the bmdma_prepare_buf and
ahci_dma_prepare_buf functions.

The Btrfs implementation in the Linux kernel before 3.19 does not
ensure that the visible xattr state is consistent with a requested
replacement, which allows local users to bypass intended ACL settings
and gain privileges via standard filesystem operations (1) during an
xattr-replacement time window, related to a race condition, or (2)
after an xattr-replacement attempt that fails because the data does
not fit.

Multiple integer signedness errors in the pcf_get_encodings function
in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to
cause a denial of service (integer overflow, NULL pointer dereference,
and application crash) via a crafted PCF file that specifies negative
values for the first column and first row.

Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4
allow remote attackers to cause a denial of service (out-of-bounds
read or memory corruption) or possibly have unspecified other impact
via a crafted cmap SFNT table.

readelf.c in file before 5.22, as used in the Fileinfo component in
PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does
not consider that pread calls sometimes read only a subset of the
available data, which allows remote attackers to cause a denial of
service (uninitialized memory access) or possibly have unspecified
other impact via a crafted ELF file.

libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a
zero value of a slice height, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted Ut Video data, related to the (1)
restore_median and (2) restore_median_il functions.

sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a
.php file, does not properly consider the mapping's length during
processing of an invalid file that begins with a # character and lacks
a newline character, which causes an out-of-bounds read and might (1)
allow remote attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a .php file or (2)
trigger unexpected code execution if a valid PHP script is present in
memory locations adjacent to the mapping.

The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly
restrict access to (1) new or (2) modified nodes or (3) their fields,
which allows remote authenticated users to obtain node titles,
teasers, and fields by reading a notification email.

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12
allow remote authenticated users to inject arbitrary web script or
HTML via a crafted (1) database, (2) table, or (3) column name that is
improperly handled during rendering of the table browse page; a
crafted ENUM value that is improperly handled during rendering of the
(4) table print view or (5) zoom search page; or (6) a crafted
pma_fontsize cookie that is improperly handled during rendering of the
home page.

coresymbolicationd in CoreSymbolication in Apple OS X before 10.10.2
does not verify that expected data types are present in XPC messages,
which allows attackers to execute arbitrary code in a privileged
context via a crafted app, as demonstrated by lack of verification of
xpc_dictionary_get_value API return values during handling of a (1)
match_mmap_archives, (2) delete_mmap_archives, (3) write_mmap_archive,
or (4) read_mmap_archive command.

Multiple Integer underflows in the geonet_print function in tcpdump
4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to
cause a denial of service (segmentation fault and crash) via a crafted
length value in a Geonet frame.

The dissect_write_structured_field function in
epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark
1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers
to cause a denial of service (infinite loop) via a crafted packet.

Multiple integer overflows in epan/dissectors/packet-amqp.c in the
AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before
1.12.2 allow remote attackers to cause a denial of service
(application crash) via a crafted amqp_0_10 PDU in a packet.

The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows
remote attackers to cause a denial of service (assertion failure and
named exit) via vectors related to (1) the lack of GeoIP databases for
both IPv4 and IPv6, or (2) IPv6 support with certain options.

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x
before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users
to execute arbitrary commands by leveraging the editcomponents
privilege and triggering crafted input to a two-argument Perl open
call, as demonstrated by shell metacharacters in a product name.

Multiple SQL injection vulnerabilities in the queryLastApp method in
packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in
the WAPPushManager module in Android before 5.0.0 allow remote
attackers to execute arbitrary SQL commands, and consequently launch
an activity or service, via the (1) wapAppId or (2) contentType field
of a PDU for a malformed WAPPush message, aka Bug 17969135.

The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem
in the Linux kernel before 3.18-rc2 does not properly handle invalid
instructions, which allows guest OS users to cause a denial of service
(NULL pointer dereference and host OS crash) via a crafted application
that triggers (1) an improperly fetched instruction or (2) an
instruction that occupies too many bytes. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2014-8480.

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
does not enforce certain constraints on certificate data, which allows
remote attackers to defeat a fingerprint-based certificate-blacklist
protection mechanism by including crafted data within a certificate's
unsigned portion, related to crypto/asn1/a_verify.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and
crypto/x509/x_all.c.

GnuTLS before 2.9.10 does not verify the activation and expiration
dates of CA certificates, which allows man-in-the-middle attackers to
spoof servers via a certificate issued by a CA certificate that is (1)
not yet valid or (2) no longer valid.

The ELF parser (readelf.c) in file before 5.21 allows remote attackers
to cause a denial of service (CPU consumption or crash) via a large
number of (1) program or (2) section headers or (3) invalid
capabilities.

The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and
X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote
authenticated users to cause a denial of service (out-of-bounds read
or write) or possibly execute arbitrary code via a crafted length or
index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers
function.

The API in the Guest Server in Cisco Jabber, when HTML5 is used,
allows remote attackers to obtain sensitive information by sniffing
the network during an HTTP (1) GET or (2) POST response, aka Bug ID
CSCus19801.

The API in the Guest Server in Cisco Jabber, when the HTML5 CORS
feature is used, allows remote attackers to obtain sensitive
information by sniffing the network during an HTTP (1) GET or (2) POST
request, aka Bug ID CSCus19789.

Multiple unspecified vulnerabilities in Google V8 before 3.28.71.15,
as used in Google Chrome before 38.0.2125.101, allow attackers to
cause a denial of service or possibly have other impact via unknown
vectors.

Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before
2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote
attackers to cause a denial of service (use-after-free) or possibly
have unspecified other impact via crafted Vorbis I data.

Multiple integer overflows in the CheckMov function in
media/base/container_names.cc in Google Chrome before 39.0.2171.65
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via a large atom in (1) MPEG-4 or (2)
QuickTime .mov data.

Multiple use-after-free vulnerabilities in
modules/screen_orientation/ScreenOrientationController.cpp in Blink,
as used in Google Chrome before 39.0.2171.65, allow remote attackers
to cause a denial of service or possibly have unspecified other impact
via vectors that trigger improper handling of a detached frame,
related to the (1) lock and (2) unlock methods.

Multiple directory traversal vulnerabilities in server.rb in Sprockets
before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before
2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before
2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2,
2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before
3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow
remote attackers to determine the existence of files outside the
application root via a ../ (dot dot slash) sequence with (1) double
slashes or (2) URL encoding.

Multiple cross-site scripting (XSS) vulnerabilities in
admin/themes/default/pages/manage_users.twig in the Users Management
feature in the admin component in Chyrp before 2.5.1 allow remote
authenticated users to inject arbitrary web script or HTML via the (1)
user.email or (2) user.website field in a user registration.

GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973
for the factory default System Utilities menu, (2) TH8740 for
installation using TH8740_122_Setup.exe, (3) hrml for "Setup and
Activation" using DSASetup, and (4) an empty string for Shutter
Configuration, which has unspecified impact and attack vectors. NOTE:
since these passwords appear to be used to access functionality during
installation, this issue might not cross privilege boundaries and
might not be a vulnerability.

GE Healthcare Discovery XR656 and XR656 G2 has a password of (1)
2getin for the insite user, (2) 4$xray for the xruser user, and (3)
#superxr for the root user, which has unspecified impact and attack
vectors. NOTE: it is not clear whether these passwords are default,
hardcoded, or dependent on another system or product that requires a
fixed value.

A certain Debian patch to the IPv6 implementation in the Linux kernel
3.2.x through 3.2.63 does not properly validate arguments in
ipv6_select_ident function calls, which allows local users to cause a
denial of service (NULL pointer dereference and system crash) by
leveraging (1) tun or (2) macvtap device access.

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows
remote attackers to execute arbitrary PHP code via a crafted (1)
description field or (2) issuelink attribute in an XML file, which is
not properly handled when executing the preg_replace function with the
e modifier.

The (1) get_quoted_string and (2) get_unquoted_string functions in
epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark
1.12.x before 1.12.1 allow remote attackers to cause a denial of
service (buffer over-read and application crash) via a CUPS packet
that lacks a trailing '\0' character.

Multiple integer overflows in the evbuffer API in Libevent 1.4.x
before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow
context-dependent attackers to cause a denial of service or possibly
have other unspecified impact via "insanely large inputs" to the (1)
evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function,
which triggers a heap-based buffer overflow or an infinite loop. NOTE:
this identifier has been SPLIT per ADT3 due to different affected
versions. See CVE-2015-6525 for the functions that are only affected
in 2.0 and later.

Multiple integer overflows in the http_request_forward_body function
in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote
attackers to cause a denial of service (crash) via a large stream of
data, which triggers a buffer overflow and an out-of-bounds read.

Zenoss Core through 5 Beta 3 does not properly implement the Check For
Updates feature, which allows remote attackers to execute arbitrary
code by (1) spoofing the callhome server or (2) deploying a crafted
web site that is visited during a login session, aka ZEN-12657.

Multiple SQL injection vulnerabilities in the All In One WP Security &
Firewall plugin before 3.8.3 for WordPress allow remote authenticated
users to execute arbitrary SQL commands via the (1) orderby or (2)
order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this
can be leveraged using CSRF to allow remote attackers to execute
arbitrary SQL commands.

The HandleRFBServerMessage function in libvncclient/rfbproto.c in
LibVNCServer 0.9.9 and earlier does not check certain malloc return
values, which allows remote VNC servers to cause a denial of service
(application crash) or possibly execute arbitrary code by specifying a
large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer,
or (3) PalmVNCReSizeFrameBuffer message.

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows
local users to write to arbitrary files via a symlink attack on a (1)
rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related
to the retrieveCacheFirst and useLocalCache functions.

MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a
krb5_read_message data field is represented as a string ending with a
'\0' character, which allows remote attackers to (1) cause a denial of
service (NULL pointer dereference) via a zero-byte version string or
(2) cause a denial of service (out-of-bounds read) by omitting the
'\0' character, related to appl/user_user/server.c and
lib/krb5/krb/recvauth.c.

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1
and Juno before Juno-3 updates the issued_at value for UUID v2 tokens,
which allows remote authenticated users to bypass the token expiration
and retain access via a verification (1) GET or (2) HEAD request to
v3/auth/tokens/.

Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not
properly take focus of the keyboard when switching to the lock screen,
which allows physically proximate attackers to bypass the lock screen
by (1) leveraging a machine that had text selected when locking or (2)
resuming from a suspension.

The APN decode functionality in (1) epan/dissectors/packet-gtp.c and
(2) epan/dissectors/packet-gsm_a_gm.c in the GTP and GSM Management
dissectors in Wireshark 1.10.x before 1.10.9 does not completely
initialize a certain buffer, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet.

Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js
in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x
before 4.2.6 allow remote authenticated users to inject arbitrary web
script or HTML via a crafted (1) table name or (2) column name that is
improperly handled during construction of an AJAX confirmation
message.

Microsoft Windows XP SP3 does not validate addresses in certain IRP
handler routines, which allows local users to write data to arbitrary
memory locations, and consequently gain privileges, via a crafted
address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ
Access Control subsystem and (2) the BthPan.sys driver in the
Bluetooth Personal Area Networking subsystem.

IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before
9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does
not have an off autocomplete attribute for authentication fields,
which makes it easier for remote attackers to obtain access by
leveraging an unattended workstation.

Multiple integer overflows in sound/core/control.c in the ALSA control
implementation in the Linux kernel before 3.15.2 allow local users to
cause a denial of service by leveraging /dev/snd/controlCX access,
related to (1) index values in the snd_ctl_add function and (2) numid
values in the snd_ctl_remove_numid_conflict function.

Unquoted Windows search path vulnerability in EMC Replication Manager
through 5.5.2 and AppSync before 2.1.0 allows local users to gain
privileges via a Trojan horse application with a name composed of an
initial substring of a path that contains a space character.

EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18,
7.0 before P16, and 7.1 before P09 allows remote authenticated users
to gain privileges by (1) placing a command in a dm_job object and
setting this object's owner to a privileged user or placing a rename
action in a dm_job_request object and waiting for a (2) dm_UserRename
or (3) dm_GroupRename service task, aka ESA-2014-105. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2014-2515.

** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe
function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in
the Linux kernel before 3.15.2 allow context-dependent attackers to
cause a denial of service (memory corruption) via a crafted Literal
Run. NOTE: the author of the LZO algorithms says "the Linux kernel is
*not* affected; media hype."

Multiple heap-based buffer overflows in the parse_notify function in
sgminer before 4.2.2, cgminer before 4.3.5, and BFGMiner before 4.1.0
allow remote pool servers to have unspecified impact via a (1) large
or (2) negative value in the Extranonc2_size parameter in a
mining.subscribe response and a crafted mining.notify request.

libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and
Apple TV before 7.0.3 does not verify that certain values have the
expected data type, which allows attackers to execute arbitrary code
in an _networkd context via a crafted XPC message from a sandboxed
app, as demonstrated by lack of verification of the XPC dictionary
data type.

Safari in Apple iOS before 8 does not properly restrict the
autofilling of passwords in forms, which allows remote attackers to
obtain sensitive information via (1) an http web site, (2) an https
web site with an unacceptable X.509 certificate, or (3) an IFRAME
element.

mm/shmem.c in the Linux kernel through 3.15.1 does not properly
implement the interaction between range notification and hole
punching, which allows local users to cause a denial of service
(i_mutex hold) by using the mmap system call to access a hole, as
demonstrated by interfering with intended shmem activity by blocking
completion of (1) an MADV_REMOVE madvise call or (2) an
FALLOC_FL_PUNCH_HOLE fallocate call.

Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and
12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6
and 11.6 before 11.6-cert3 allows remote attackers to cause a denial
of service (connection consumption) via a large number of (1) inactive
or (2) incomplete HTTP connections.

Multiple cross-site scripting (XSS) vulnerabilities in
apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13
allow remote authenticated users to inject arbitrary web script or
HTML via a (1) tag or the (2) title of a source in a Staging folder,
(3) Name field in a bootstrap setup, or Title field in a (4) smart
link or (5) web form.

Multiple incomplete blacklist vulnerabilities in the
filemanager::isFileExclude method in the Media Manager in Dotclear
before 2.6.3 allow remote authenticated users to execute arbitrary PHP
code by uploading a file with a (1) double extension or (2) .php5, (3)
.phtml, or some other PHP file extension.

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link
DAP 1150 with firmware 1.2.94 allow remote attackers to hijack the
authentication of administrators for requests that (1) enable or (2)
disable the DMZ in the Firewall/DMZ section via a request to index.cgi
or (3) add, (4) modify, or (5) delete URL-filter settings in the
Control/URL-filter section via a request to index.cgi, as demonstrated
by adding a rule that blocks access to google.com.

nmevent.c in the Novell GroupWise protocol plugin in libpurple in
Pidgin before 2.10.10 allows remote servers to cause a denial of
service (application crash) via a crafted server message that triggers
a large memory allocation.

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL
SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly
consider the Basic Constraints extension during verification of X.509
certificates from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a
crafted certificate.

The exif_ifd_make_value function in exif.c in the EXIF extension in
PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2
operates on floating-point arrays incorrectly, which allows remote
attackers to cause a denial of service (heap memory corruption and
application crash) or possibly execute arbitrary code via a crafted
JPEG image with TIFF thumbnail data that is improperly handled by the
exif_thumbnail function.

Buffer overflow in the date_from_ISO8601 function in the mkgmtime
implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP
before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows
remote attackers to cause a denial of service (application crash) via
(1) a crafted first argument to the xmlrpc_set_type function or (2) a
crafted argument to the xmlrpc_decode function, related to an
out-of-bounds read operation.

arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel
through 3.17.2 does not properly perform RIP changes, which allows
guest OS users to cause a denial of service (guest OS crash) via a
crafted application.

The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux
kernel through 3.16.1 miscalculates the number of pages during the
handling of a mapping failure, which allows guest OS users to (1)
cause a denial of service (host OS memory corruption) or possibly have
unspecified other impact by triggering a large gfn value or (2) cause
a denial of service (host OS memory consumption) by triggering a small
gfn value that leads to permanently pinned pages.

Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to
the dns_get_record function and the dn_expand function. NOTE: this
issue exists because of an incomplete fix for CVE-2014-4049.

Multiple cross-site scripting (XSS) vulnerabilities in the
advanced-grading implementation in Moodle through 2.3.11, 2.4.x before
2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1
allow remote authenticated users to inject arbitrary web script or
HTML via a crafted (1) qualification or (2) rating field in a rubric.

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14
incorrectly anticipates that certain data structures will have the
array data type after unserialization, which allows remote attackers
to execute arbitrary code via a crafted string that triggers use of a
Hashtable destructor, related to "type confusion" issues in
(1) ArrayObject and (2) SPLObjectStorage.

Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP
implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers
to cause a denial of service (application crash) or possibly have
unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B
parameter.

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL
0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i
allows remote DTLS servers to cause a denial of service (NULL pointer
dereference and client application crash) via a crafted handshake
message in conjunction with a (1) anonymous DH or (2) anonymous ECDH
ciphersuite.

Multiple cross-site scripting (XSS) vulnerabilities in the host YAML
view in Foreman before 1.4.5 and 1.5.x before 1.5.1 allow remote
attackers to inject arbitrary web script or HTML via a parameter (1)
name or (2) value related to the host.

The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU
Libtasn1 before 3.6 allows context-dependent attackers to cause a
denial of service (NULL pointer dereference and crash) via a NULL
value in an ivalue argument.

Google Chrome before 37.0.2062.60 and 38.x before 38.0.2125.59 on iOS
does not properly restrict processing of (1) facetime:// and (2)
facetime-audio:// URLs, which allows remote attackers to obtain video
and audio data from a device via a crafted web site.

Multiple buffer overflows in the command_port_read_callback function
in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver
in the Linux kernel before 3.16.2 allow physically proximate attackers
to execute arbitrary code or cause a denial of service (memory
corruption and system crash) via a crafted device that provides a
large amount of (1) EHCI or (2) XHCI data associated with a bulk
response.

Multiple stack-based buffer overflows in the magicmouse_raw_event
function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver
in the Linux kernel through 3.16.3 allow physically proximate
attackers to cause a denial of service (system crash) or possibly
execute arbitrary code via a crafted device that provides a large
amount of (1) EHCI or (2) XHCI data associated with an event.

Multiple unspecified vulnerabilities in Google Chrome before
37.0.2062.94 allow attackers to cause a denial of service or possibly
have other impact via unknown vectors, related to the
load_truetype_glyph function in truetype/ttgload.c in FreeType and
other functions in other components.

The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension
implementations in the sk_run_filter function in net/core/filter.c in
the Linux kernel through 3.14.3 do not check whether a certain length
value is sufficiently large, which allows local users to cause a
denial of service (integer underflow and system crash) via crafted BPF
instructions. NOTE: the affected code was moved to the
__skb_get_nlattr and __skb_get_nlattr_nest functions before the
vulnerability was announced.

IBM SPSS Modeler 16.0 before 16.0.0.1 on UNIX does not properly drop
group privileges, which allows local users to bypass intended
file-access restrictions by leveraging (1) gid 0 or (2) root's group
memberships.

Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users
to create arbitrary files or possibly bypass authentication via a ..
(dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2)
PAM_TTY value to the check_tty function, which is used by the
format_timestamp_name function.

Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner
Standalone 3.5 and earlier allow remote attackers to hijack the
authentication of administrators for requests that (1) change the
administrator password via the config task to index2.php or (2) when
the enable_db_backup and sql_mem options are enabled, access the
database backup functionality via the dbbackup_comp parameter in the
generate action to index2.php. NOTE: vector 2 might be a duplicate of
CVE-2014-2340, which is for the XCloner Wordpress plugin. NOTE:
remote attackers can leverage CVE-2014-2996 with vector 2 to execute
arbitrary commands.

The OpenConnectionTask::handleStateHelper function in
Imap/Tasks/OpenConnectionTask.cpp in Trojita before 0.4.1 allows
man-in-the-middle attackers to trigger use of cleartext for saving a
message into a (1) sent or (2) draft folder via a PREAUTH response
that prevents later use of the STARTTLS command.

Multiple cross-site request forgery (CSRF) vulnerabilities in
twitget.php in the Twitget plugin before 3.3.3 for WordPress allow
remote attackers to hijack the authentication of administrators for
requests that change unspecified plugin options via a request to
wp-admin/options-general.php.

SQL injection vulnerability in xhr.php in InterWorx Web Control Panel
(aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14
build 577 allows remote authenticated users to execute arbitrary SQL
commands via the i parameter in a search action to the (1) NodeWorx ,
(2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or"
key in a pgn8state object in an i object in a JSON object.

net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through
3.13.6 uses a DCCP header pointer incorrectly, which allows remote
attackers to cause a denial of service (system crash) or possibly
execute arbitrary code via a DCCP packet that triggers a call to the
(1) dccp_new, (2) dccp_packet, or (3) dccp_error function.

The password recovery service in Open-Xchange AppSuite before
7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13
makes an improper decision about the sensitivity of a string
representing a previously used but currently invalid password, which
allows remote attackers to obtain potentially useful password-pattern
information by reading (1) a web-server access log, (2) a web-server
Referer log, or (3) browser history that contains this string because
of its presence in a GET request.

The Storage and Access service in BlackBerry OS 10.x before
10.2.1.1925 on Q5, Q10, Z10, and Z30 devices does not enforce the
password requirement for SMB filesystem access, which allows
context-dependent attackers to read arbitrary files via (1) a session
over a Wi-Fi network or (2) a session over a USB connection in
Development Mode.

IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to
bypass authentication by rekeying an IKE_SA during (1) initiation or
(2) re-authentication, which triggers the IKE_SA state to be set to
established.

channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1,
11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk
1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip
has a certain configuration, allows remote authenticated users to
cause a denial of service (channel and file descriptor consumption)
via an INVITE request with a (1) Session-Expires or (2) Min-SE header
with a malformed or invalid value.

The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer
functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly
check if a subroutine exists, which allows remote attackers to cause a
denial of service (assertion failure), as demonstrated by a crafted
ttf file.

Open redirect vulnerability in the header function in adclick.php in
OpenX 2.8.10 and earlier allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in the (1)
dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which
might allow remote attackers to obtain sensitive information by using
a (1) string or (2) array data type in place of a numeric data type,
as demonstrated by an imagecrop function call with a string for the x
dimension value, a different vulnerability than CVE-2013-7226.

Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop
Professional and Community Edition 4.6.8 and earlier, 4.7.x before
4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and
earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote
attackers to inject arbitrary web script or HTML via the searchtag
parameter to the getTag function in (1)
application/controllers/details.php or (2)
application/controllers/tag.php.

The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen
4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial
of service or possibly gain privileges via crafted xenstore ring
indexes, which triggers a "read or write past the end of the ring."

The DrinkedIn BarFinder application for Android, when Adobe PhoneGap
2.9.0 or earlier is used, allows remote attackers to execute arbitrary
JavaScript code, and consequently obtain sensitive fine-geolocation
information, by leveraging control over one of a number of adult
sites, as demonstrated by (1) freelifetimecheating.com and (2)
www.babesroulette.com.

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier
on Windows Phone 7 and 8 do not properly restrict navigation events,
which allows remote attackers to bypass intended device-resource
restrictions via content that is accessed (1) in an IFRAME element or
(2) with the XMLHttpRequest method by a crafted application.

Adobe PhoneGap before 2.6.0 on Android uses the
shouldOverrideUrlLoading callback instead of the proper
shouldInterceptRequest callback, which allows remote attackers to
bypass intended device-resource restrictions via content that is
accessed (1) in an IFRAME element or (2) with the XMLHttpRequest
method by a crafted application.

The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py
in logilab-commons before 0.61.0 allows local users to overwrite
arbitrary files and possibly have other unspecified impact via a
symlink attack on /tmp/toto.fdf.

Phusion Passenger 4.0.37 allows local users to write to certain files
and directories via a symlink attack on (1) control_process.pid or a
(2) generation-* file. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2014-1831.

Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly
restrict the information transmitted by Internet Explorer during a
download action, which allows remote attackers to discover (1) full
pathnames on the client system and (2) local usernames embedded in
these pathnames via a crafted web site, aka "MSXML Entity URI
Vulnerability."

Multiple integer overflows in the replace-data functionality in the
CharacterData interface implementation in core/dom/CharacterData.cpp
in Blink, as used in Google Chrome before 34.0.1847.137, allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to ranges.

Multiple use-after-free vulnerabilities in
net/websockets/websocket_job.cc in the WebSockets implementation in
Google Chrome before 34.0.1847.137 allow remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors related to WebSocketJob deletion.

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33,
as used in Google Chrome before 34.0.1847.131 on Windows and OS X and
before 34.0.1847.132 on Linux, allow attackers to cause a denial of
service or possibly have other impact via unknown vectors.

Multiple unspecified vulnerabilities in Google Chrome before
34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux
allow attackers to cause a denial of service or possibly have other
impact via unknown vectors.

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22,
as used in Google Chrome before 34.0.1847.116, allow attackers to
cause a denial of service or possibly have other impact via unknown
vectors.

Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18,
as used in Google Chrome before 33.0.1750.149, allow attackers to
cause a denial of service or possibly have other impact via unknown
vectors.

The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3,
and 4.3.x does not properly restrict access to the (1)
PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations,
which allows local PV guests to cause a denial of service (host or
guest malfunction) or possibly gain privileges via unspecified
vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 33.0 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via vectors related to improper interaction between
threading and garbage collection in the GCRuntime::triggerGC function
in js/src/jsgc.cpp, and unknown other vectors.

Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before
4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not
ensure that a scalar context is used for certain CGI parameters, which
allows remote attackers to conduct cross-site scripting (XSS) attacks
by sending three values for a single parameter name.

Mozilla Firefox before 31.0 does not properly restrict use of
drag-and-drop events to spoof customization events, which allows
remote attackers to alter the placement of UI icons via crafted
JavaScript code that is encountered during (1) page, (2) panel, or (3)
toolbar customization.

Multiple heap-based buffer overflows in the navigator.getGamepads
function in the Gamepad API in Mozilla Firefox before 30.0 allow
remote attackers to execute arbitrary code by using non-contiguous
axes with a (1) physical or (2) virtual Gamepad device.

The (1) WebGL.compressedTexImage2D and (2)
WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0
and SeaMonkey before 2.25 allow remote attackers to bypass the Same
Origin Policy and render content in a different domain via unspecified
vectors.

Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote
attackers to spoof the domain name in the WebRTC (1) camera or (2)
microphone permission prompt by triggering navigation at a certain
time during generation of this prompt.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via vectors related to the
MPostWriteBarrier class in js/src/jit/MIR.h and stack alignment in
js/src/jit/AsmJS.cpp in OdinMonkey, and unknown other vectors.

Graphics Drivers in Apple OS X before 10.9.4 allows attackers to gain
privileges or cause a denial of service (NULL pointer dereference and
system crash) via a 32-bit executable file for a crafted application.

Power Management in Apple OS X 10.9.x through 10.9.2 allows physically
proximate attackers to bypass an intended transition into the
locked-screen state by touching (1) a key or (2) the trackpad during a
lid-close action.

The SSLVerifySignedServerKeyExchange function in
libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature
in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x
before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before
10.9.2 does not check the signature in a TLS Server Key Exchange
message, which allows man-in-the-middle attackers to spoof SSL servers
by (1) using an arbitrary private key for the signing step or (2)
omitting the signing step.

Multiple integer signedness errors in DirectShowDemuxFilter, as used
in Divx Web Player, Divx Player, and other Divx plugins, allow remote
attackers to execute arbitrary code via a (1) negative or (2) large
value in a Stream Format (STRF) chunk in an AVI file, which triggers a
heap-based buffer overflow.

Multiple array index errors in programs that are automatically
generated by
VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in
Oracle VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when
using 3D Acceleration, allow local guest OS users to execute arbitrary
code on the Chromium server via certain CR_MESSAGE_OPCODES messages
with a crafted index, which are not properly handled by the (1)
CR_VERTEXATTRIB4NUBARB_OPCODE to the
crServerDispatchVertexAttrib4NubARB function, (2)
CR_VERTEXATTRIB1DARB_OPCODE to the crServerDispatchVertexAttrib1dARB
function, (3) CR_VERTEXATTRIB1FARB_OPCODE to the
crServerDispatchVertexAttrib1fARB function, (4)
CR_VERTEXATTRIB1SARB_OPCODE to the crServerDispatchVertexAttrib1sARB
function, (5) CR_VERTEXATTRIB2DARB_OPCODE to the
crServerDispatchVertexAttrib2dARB function, (6)
CR_VERTEXATTRIB2FARB_OPCODE to the crServerDispatchVertexAttrib2fARB
function, (7) CR_VERTEXATTRIB2SARB_OPCODE to the
crServerDispatchVertexAttrib2sARB function, (8)
CR_VERTEXATTRIB3DARB_OPCODE to the crServerDispatchVertexAttrib3dARB
function, (9) CR_VERTEXATTRIB3FARB_OPCODE to the
crServerDispatchVertexAttrib3fARB function, (10)
CR_VERTEXATTRIB3SARB_OPCODE to the crServerDispatchVertexAttrib3sARB
function, (11) CR_VERTEXATTRIB4DARB_OPCODE to the
crServerDispatchVertexAttrib4dARB function, (12)
CR_VERTEXATTRIB4FARB_OPCODE to the crServerDispatchVertexAttrib4fARB
function, and (13) CR_VERTEXATTRIB4SARB_OPCODE to the
crServerDispatchVertexAttrib4sARB function.

VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22,
4.0.x before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and
4.3.x before 4.3.8, when using 3D Acceleration allows local guest OS
users to execute arbitrary code on the Chromium server via crafted
Chromium network pointer in a (1) CR_MESSAGE_READBACK or (2)
CR_MESSAGE_WRITEBACK message to the VBoxSharedCrOpenGL service, which
triggers an arbitrary pointer dereference and memory corruption. NOTE:
this issue was MERGED with CVE-2014-0982 because it is the same type
of vulnerability affecting the same set of versions. All CVE users
should reference CVE-2014-0981 instead of CVE-2014-0982.

Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo
Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and
7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and
7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset
Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli
Asset Management for IT and certain other products allow remote
authenticated users to inject arbitrary web script or HTML via (1) the
KPI display name field or (2) a portlet field.

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through
9.0.0.1 does not check whether a session cookie is current, which
allows remote attackers to conduct user-search actions by leveraging
possession of a (1) expired or (2) invalidated cookie.

The CreateProcess method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX
control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows
remote attackers to execute (1) setup.exe, (2) bwvbprt.exe, and (3)
bwvbprtl.exe programs from arbitrary pathnames via a crafted argument,
as demonstrated by a UNC share pathname.

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and
CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not
require authentication for connections to certain TCP ports, which
allows remote attackers to (1) modify the configuration via a request
to the debug service on port 4000 or (2) delete log entries via a
request to the log service on port 4001.

The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before
5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to
bypass intended cryptographic protection mechanisms by triggering
application-data processing during the TLS handshake, a time at which
the data is both unencrypted and unauthenticated.

The client in Novell GroupWise before 8.0.3 HP4, 2012 before SP3, and
2014 before SP1 on Windows allows remote attackers to execute
arbitrary code or cause a denial of service (invalid pointer
dereference) via unspecified vectors.

The rftpcom.dll ActiveX control in Attachmate Reflection FTP Client
before 14.1.429 allows remote attackers to cause a denial of service
(memory corruption) and execute arbitrary code via vectors related to
the (1) GetGlobalSettings or (2) GetSiteProperties3 methods, which
triggers a dereference of an arbitrary memory address. NOTE: this
issue was MERGED with CVE-2014-0606 because it is the same type of
vulnerability, affecting the same set of versions, and discovered by
the same researcher.

Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before
15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe
AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on
Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler
before 15.0.0.249 do not properly restrict discovery of memory
addresses, which allows attackers to bypass the ASLR protection
mechanism via unspecified vectors.

Multiple directory traversal vulnerabilities in Xangati XSR before 11
and XNR before 7 allow remote attackers to read arbitrary files via a
.. (dot dot) in (1) the file parameter in a getUpgradeStatus action to
servlet/MGConfigData, (2) the download parameter in a download action
to servlet/MGConfigData, (3) the download parameter in a port_svc
action to servlet/MGConfigData, (4) the file parameter in a getfile
action to servlet/Installer, or (5) the binfile parameter to
servlet/MGConfigData.

Multiple stack-based buffer overflows on the ZyXEL Wireless N300
NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allow
man-in-the-middle attackers to execute arbitrary code via (1) a long
temp attribute in a yweather:condition element in a forecastrss file
that is processed by the checkWeather function; the (2) WeatherCity or
(3) WeatherDegree variable to the detectWeather function; unspecified
input to the (4) UpnpAddRunRLQoS, (5) UpnpDeleteRunRLQoS, or (6)
UpnpDeletePortCheckType function; or (7) the SET COUNTRY udps command.

Multiple cross-site scripting (XSS) vulnerabilities in PivotX before
2.3.9 allow remote authenticated users to inject arbitrary web script
or HTML via the title field to (1) templates_internal/pages.tpl, (2)
templates_internal/home.tpl, or (3) templates_internal/entries.tpl;
(4) an event field to objects.php; or the (5) email or (6) nickname
field to pages.php, related to templates_internal/users.tpl.

Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple
allow remote authenticated users to inject arbitrary web script or
HTML via (1) the group parameter to admin/addgroup.php, (2) the
htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url
parameter to admin/addbookmark.php, (5) the stylesheet_name parameter
to admin/copystylesheet.php, (6) the template_name parameter to
admin/copytemplate.php, the (7) title or (8) url parameter to
admin/editbookmark.php, (9) the template parameter to
admin/listtemplates.php, or (10) the css_name parameter to
admin/listcss.php, a different issue than CVE-2014-2092.

The cdf_read_property_info function in cdf.c in the Fileinfo component
in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers
to cause a denial of service (infinite loop or out-of-bounds memory
access) via a vector that (1) has zero length or (2) is too long.

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
does not properly restrict processing of ChangeCipherSpec messages,
which allows man-in-the-middle attackers to trigger use of a
zero-length master key in certain OpenSSL-to-OpenSSL communications,
and consequently hijack sessions or obtain sensitive information, via
a crafted TLS handshake, aka the "CCS Injection" vulnerability.

The blind-marking implementation in Moodle through 2.3.11, 2.4.x
before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows
remote authenticated users to de-anonymize student identities by (1)
using a screen reader or (2) reading the HTML source.

Multiple cross-site request forgery (CSRF) vulnerabilities in
mod/assign/locallib.php in the Assignment subsystem in Moodle through
2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before
2.6.3 allow remote attackers to hijack the authentication of teachers
for quick-grading requests.

Multiple integer overflows in the (1) FontFileAddEntry and (2)
lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before
1.4.99.901 might allow local users to gain privileges by adding a
directory with a large fonts.dir or fonts.alias file to the font path,
which triggers a heap-based buffer overflow, related to metadata.

The Netlink implementation in the Linux kernel through 3.14.1 does not
provide a mechanism for authorizing socket operations based on the
opener of a socket, which allows local users to bypass intended access
restrictions and modify network configurations by using a Netlink
socket for the (1) stdout or (2) stderr of a setuid program.

The Nova EC2 API security group implementation in OpenStack Compute
(Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does
not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3)
destroy, and other unspecified methods in compute/api.py when using
non-default policies, which allows remote authenticated users to gain
privileges via these API requests.

Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0,
allow local users to cause a denial of service (crash) or possibly
execute arbitrary code via a large (1) L1 table in the
qcow2_snapshot_load_tmp in the QCOW 2 block driver
(block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length,
or (4) number of sectors in the DMG block driver (block/dmg.c).

The identity-reporting implementations in mod/forum/renderer.php and
mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before
2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly
restrict the display of e-mail addresses, which allows remote
authenticated users to obtain sensitive information by using the (1)
Forum or (2) Quiz module.

The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x
before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1)
view and (2) edit access, which allows remote authenticated users to
perform wiki operations by leveraging the student role and using the
Recent Activity block to reach the individual wiki of an arbitrary
student.

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6
does not properly constrain the class loader that accesses the XML
parser used with an XSLT stylesheet, which allows remote attackers to
(1) read arbitrary files via a crafted web application that provides
an XML external entity declaration in conjunction with an entity
reference, related to an XML External Entity (XXE) issue, or (2) read
files associated with different web applications on a single Tomcat
instance via a crafted web application.

The validator functions for the procedural languages (PLs) in
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12,
9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated
users to gain privileges via a function that is (1) defined in another
language or (2) not allowed to be directly called by the user due to
permissions.

Multiple cross-site request forgery (CSRF) vulnerabilities in
user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11,
2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow
remote attackers to hijack the authentication of administrators for
requests that delete (1) categories or (2) fields.

GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1 has a password
of (1) CANal1 for the Administrator user and (2) iis for the IIS user,
which has unspecified impact and attack vectors related to
TimbuktuPro. NOTE: it is not clear whether this password is default,
hardcoded, or dependent on another system or product that requires it.

The modern style negotiation in Network Block Device (nbd-server)
2.9.22 through 3.3 allows remote attackers to cause a denial of
service (root process termination) by (1) closing the connection
during negotiation or (2) specifying a name for a non-existent export.

Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen
macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0
allow remote attackers to have unspecified impact via a crafted
request, which triggers a buffer overflow.

GE Healthcare Discovery NM 750b has a password of 2getin for the
insite account for (1) Telnet and (2) FTP, which has unspecified
impact and attack vectors. NOTE: it is not clear whether this password
is default, hardcoded, or dependent on another system or product that
requires a fixed value.

The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local
users to gain privileges via a symlink attack on the pid file created
for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is
used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different
affected versions (ADT3).

Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer
Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before
2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote
attackers to inject arbitrary web script or HTML by (1) providing a
crafted playerId or (2) referencing an external domain, a related
issue to CVE-2013-7342.

Multiple integer signedness errors in the gdImageCrop function in
ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause
a denial of service (application crash) or obtain sensitive
information via an imagecrop function call with a negative value for
the (1) x or (2) y dimension, a different vulnerability than
CVE-2013-7226.

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a
certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge
platforms, does not properly generate random numbers for (1) relay
identity keys and (2) hidden-service identity keys, which might make
it easier for remote attackers to bypass cryptographic protection
mechanisms via unspecified vectors.

The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux
kernel before 3.12.4 updates a certain length value without ensuring
that an associated data structure has been initialized, which allows
local users to obtain sensitive information from kernel stack memory
via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel
before 3.12.4 updates a certain length value without ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel memory via a (1)
recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The packet_recvmsg function in net/packet/af_packet.c in the Linux
kernel before 3.12.4 updates a certain length value before ensuring
that an associated data structure has been initialized, which allows
local users to obtain sensitive information from kernel memory via a
(1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel
before 3.12.4 updates a certain length value without ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel memory via a (1)
recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel
before 3.12.4 updates a certain length value without ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel memory via a (1)
recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel
before 3.12.4 updates a certain length value without ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel memory via a (1)
recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the
Linux kernel before 3.12.4 does not ensure that a certain length value
is consistent with the size of an associated data structure, which
allows local users to obtain sensitive information from kernel memory
via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel
before 3.12.4 updates a certain length value before ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel stack memory via a
(1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel
before 3.12.4 updates a certain length value before ensuring that an
associated data structure has been initialized, which allows local
users to obtain sensitive information from kernel stack memory via a
(1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.

Multiple stack-based buffer overflows in RealNetworks RealPlayer
before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738,
allow remote attackers to execute arbitrary code via a long (1)
version number or (2) encoding declaration in the XML declaration of
an RMP file, a different issue than CVE-2013-6877.

Multiple buffer overflows in the create_ntlmssp_v2_key function in
epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in
Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote
attackers to cause a denial of service (application crash) via a long
domain name in a packet.

Multiple cross-site scripting (XSS) vulnerabilities in the web based
operator client in LiveZilla before 5.1.2.1 allow remote attackers to
inject arbitrary web script or HTML via the (1) name of an uploaded
file or (2) customer name in a resource created from an uploaded file,
a different vulnerability than CVE-2013-7003.

Multiple race conditions in ipc/shm.c in the Linux kernel before
3.12.2 allow local users to cause a denial of service (use-after-free
and system crash) or possibly have unspecified other impact via a
crafted application that uses shmctl IPC_RMID operations in
conjunction with other shm system calls.

Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.

The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS & MMS Gateway
before 2013.11.15 allows remote attackers to cause a denial of service
via a malformed MM1 message that is routed to a (1) MM4 or (2) MM7
connection.

The png_do_expand_palette function in libpng before 1.6.8 allows
remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via (1) a PLTE chunk of zero bytes
or (2) a NULL palette, related to pngrtran.c and pngset.c.

The parseRTSPRequestString function in Live Networks Live555 Streaming
Media 2011.08.13 through 2013.11.25, as used in VideoLAN VLC Media
Player, allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a (1) space or (2) tab
character at the beginning of an RTSP message, which triggers an
integer underflow, infinite loop, and buffer overflow.

BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39
on Mac OS X does not properly determine the user account for execution
of Peer Manager in certain situations involving successive logins with
different accounts, which allows context-dependent attackers to bypass
intended restrictions on remote file-access folders via IPv6 WebDAV
requests, a different vulnerability than CVE-2013-3694.

security/MemberLoginForm.php in SilverStripe 3.0.3 supports
credentials in a GET request, which allows remote or local attackers
to obtain sensitive information by reading web-server access logs,
web-server Referer logs, or the browser history, a similar
vulnerability to CVE-2013-2653.

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10,
as used in Google Chrome before 33.0.1750.146, allow attackers to
cause a denial of service or possibly have other impact via unknown
vectors.

Multiple use-after-free vulnerabilities in the layout implementation
in Blink, as used in Google Chrome before 33.0.1750.117, allow remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors involving (1) running JavaScript code during
execution of the updateWidgetPositions function or (2) making a call
into a plugin during execution of the updateWidgetPositions function.

Directory traversal vulnerability in
sandbox/win/src/named_pipe_dispatcher.cc in Google Chrome before
33.0.1750.117 on Windows allows attackers to bypass intended
named-pipe policy restrictions in the sandbox via vectors related to
(1) lack of checks for .. (dot dot) sequences or (2) lack of use of
the \\?\ protection mechanism.

Multiple unspecified vulnerabilities in Google Chrome before
32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux
allow attackers to cause a denial of service or possibly have other
impact via unknown vectors.

Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7,
as used in Google Chrome before 31.0.1650.63, allow remote attackers
to cause a denial of service or possibly have unspecified other impact
via vectors that trigger a large typed array, related to the (1)
Runtime_TypedArrayInitialize and (2)
Runtime_TypedArrayInitializeFromArrayLike functions.

Use-after-free vulnerability in core/dom/ContainerNode.cpp in Blink,
as used in Google Chrome before 31.0.1650.48, allows remote attackers
to cause a denial of service or possibly have unspecified other impact
by leveraging improper handling of DOM range objects in circumstances
that require child node removal after a (1) mutation or (2) blur
event.

The default soap.wsdl_cache_dir setting in (1) php.ini-production and
(2) php.ini-development in PHP through 5.6.7 specifies the /tmp
directory, which makes it easier for local users to conduct WSDL
injection attacks by creating a file under /tmp with a predictable
filename that is used by the get_sdl function in ext/soap/php_sdl.c.

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1
allows local users to (1) delete arbitrary host devices via the
virDomainDeviceDettach API and a symlink attack on /dev in the
container; (2) create arbitrary nodes (mknod) via the
virDomainDeviceAttach API and a symlink attack on /dev in the
container; and cause a denial of service (shutdown or reboot host OS)
via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink
attack on /dev/initctl in the container, related to "paths under
/proc/$PID/root" and the virInitctlSetRunLevel function.

The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP
before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not
properly parse (1) notBefore and (2) notAfter timestamps in X.509
certificates, which allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted
certificate that is not properly handled by the openssl_x509_parse
function.

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
3.2.16 and 4.x before 4.0.2 does not properly consider differences in
parameter handling between the Active Record component and the JSON
implementation, which allows remote attackers to bypass intended
database-query restrictions and perform NULL checks or trigger missing
WHERE clauses via a crafted request that leverages (1) third-party
Rack middleware or (2) custom Rack middleware. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2013-0155.

Multiple buffer underflows in the XFS implementation in the Linux
kernel through 3.12.1 allow local users to cause a denial of service
(memory corruption) or possibly have unspecified other impact by
leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl
call with a crafted length value, related to the
xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the
xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.

The (1) get_user and (2) put_user API functions in the Linux kernel
before 3.5.5 on the v6k and v7 ARM platforms do not validate certain
addresses, which allows attackers to read or modify the contents of
arbitrary kernel memory locations via a crafted application, as
exploited in the wild against Android devices in October and November
2013.

Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla
before 5.1.1.0 allow remote attackers to inject arbitrary web script
or HTML via (1) a name in the call administrator feature, (2)
unspecified vectors to the admins visitor information panel, or (3) a
text message in a chat session, which is saved in the archive section.

Integer overflow in the OZDocument::parseElement function in Apple
Motion 5.0.7 allows remote attackers to cause a denial of service
(application crash) via a (1) large or (2) small value in the subview
attribute of a viewer element in a .motn file.

Buffer overflow in MostGear Soft Easy LAN Folder Share 3.2.0.100
allows local users to cause a denial of service (application crash)
and possibly execute arbitrary code via a long string in the (1)
registration code field in the activate license window or the (2)
HKLM\SOFTWARE\MostGear\EasyLanFolderShare_V1\License registry key.
NOTE: it is not clear from the original report whether this issue
crosses privilege boundaries. If not, then it should not be included
in CVE.

Cross-site request forgery (CSRF) vulnerability in Cart66Product.php
in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote
attackers to hijack the authentication of administrators for requests
that (1) create or modify products or conduct cross-site scripting
(XSS) attacks via the (2) Product name or (3) Price description field
in a product save action via a request to wp-admin/admin.php.

VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to
read or modify arbitrary files by leveraging the Virtual Machine Power
User or Resource Pool Administrator role for a vCenter Server Add
Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp
filename.

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not
perform appropriate encoding when a (1) <h:outputText> tag or (2) EL
expression is used after a scriptor style block, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via
application-specific vectors.

The authorization implementation on Dahua DVR appliances accepts a
hash string representing the current date for the role of a master
password, which makes it easier for remote attackers to obtain
administrative access and change the administrator password via
requests involving (1) ActiveX, (2) a standalone client, or (3)
unspecified other vectors, a different vulnerability than
CVE-2013-3612.

Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not
require confirmation of (1) follow or (2) favorite actions, which
allows remote attackers to automatically force the user to perform
undesired actions, as demonstrated via the tweetbot:///follow/ URL.

epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark
1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers
to cause a denial of service (infinite loop) via a crafted packet.

Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php
in the VideoWhisper Live Streaming Integration plugin 4.25.3 and
possibly earlier for WordPress allow remote attackers to inject
arbitrary web script or HTML via the (1) name or (2) message
parameter. NOTE: some of these details are obtained from third party
information.

inc/central.class.php in GLPI before 0.84.2 does not attempt to make
install/install.php unavailable after an installation is completed,
which allows remote attackers to conduct cross-site request forgery
(CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action
or (2) execute arbitrary PHP code via an update_1 action.

The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in
FreeBSD 8.3 through 9.2-STABLE do not validate SIOCSIFADDR,
SIOCSIFBRDADDR, SIOCSIFDSTADDR, and SIOCSIFNETMASK requests, which
allows local users to perform link-layer actions, cause a denial of
service (panic), or possibly gain privileges via a crafted
application.

Multiple integer overflows in the binary-search implementation in
SpiderMonkey in Mozilla Firefox before 26.0 and SeaMonkey before 2.23
might allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted JavaScript code.

The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in
conn.c in ngIRCd 18 through 20.2, when the configuration option
NoticeAuth is enabled, does not properly handle the return code for
the Handle_Write function, which allows remote attackers to cause a
denial of service (assertion failure and server crash) via unspecified
vectors, related to a "notice auth" message not being sent to a new
client.

The TCP reassembly feature in Cisco IOS XE 3.7 before 3.7.3S and 3.8
before 3.8.1S on 1000 ASR devices allows remote attackers to cause a
denial of service (device reload) via large TCP packets that are
processed by the (1) NAT or (2) ALG component, aka Bug ID CSCud72509.

The Data Growth Solution for JD Edwards EnterpriseOne in IBM
InfoSphere Optim 3.0 through 9.1 has hardcoded database credentials,
which allows remote authenticated users to obtain sensitive
information by reading an unspecified field in an XML document.

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26
allows remote attackers to cause a denial of service (traffic
amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1
requests, as exploited in the wild in December 2013.

The (1) REST and (2) memcache interfaces in the Hazelcast cluster API
in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before
7.2.2-rev16 do not require authentication, which allows remote
attackers to obtain sensitive information or modify data via an API
call.

The App Store component in Apple iOS before 7.0.4 does not properly
enforce an intended transaction-time password requirement, which
allows local users to complete a (1) App purchase or (2) In-App
purchase by leveraging previous entry of Apple ID credentials.

The Square Squash allows remote attackers to execute arbitrary code
via a YAML document in the (1) namespace parameter to the
deobfuscation function or (2) sourcemap parameter to the sourcemap
function in app/controllers/api/v1_controller.rb.

Multiple race conditions in HtmlCleaner before 2.6, as used in
Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow
remote authenticated users to read the private e-mail of other persons
in opportunistic circumstances by leveraging lack of thread safety and
performing a rapid series of (1) mail-sending or (2) draft-saving
operations.

An ActiveX control in NationalInstruments.Help2.dll in National
Instruments NI .NET Class Library Help, as used in Measurement Studio
2013 and earlier and other products, allows remote attackers to obtain
sensitive information about the existence of registry keys via crafted
(1) key-open or (2) key-close method calls.

Absolute path traversal vulnerability in the 3D Graph ActiveX control
in cw3dgrph.ocx in National Instruments LabWindows/CVI 2012 SP1 and
earlier, LabVIEW 2012 SP1 and earlier, and other products allows
remote attackers to create and execute arbitrary files via a full
pathname in an argument to the ExportStyle method, in conjunction with
file content in the (1) Caption or (2) FormatString property value.

Multiple absolute path traversal vulnerabilities in National
Instruments cwui.ocx, as used in National Instruments LabWindows/CVI
2012 SP1 and earlier, National Instruments LabVIEW 2012 SP1 and
earlier, the Data Analysis component in ABB DataManager 1 through
6.3.6, and other products allow remote attackers to create and execute
arbitrary files via a full pathname in an argument to the ExportStyle
method in the (1) CWNumEdit, (2) CWGraph, (3) CWBoolean, (4) CWSlide,
or (5) CWKnob ActiveX control, in conjunction with file content in the
(a) Caption or (b) FormatString property value.

Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in
the Genetech Solutions Pie-Register plugin before 1.31 for WordPress,
when "Allow New Registrations to set their own Password" is enabled,
allow remote attackers to inject arbitrary web script or HTML via the
(1) pass1 or (2) pass2 parameter in a register action. NOTE: some of
these details are obtained from third party information.

Multiple unspecified vulnerabilities in the AiCloud feature on the
ASUS RT-AC66U, RT-N66U, RT-N65U, RT-N14U, RT-N16, RT-N56U, and
DSL-N55U with firmware before 3.0.4.372 have unknown impact and attack
vectors.

Multiple array index errors in epan/dissectors/packet-gsm_a_common.c
in the GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and
1.10.x before 1.10.1 allow remote attackers to cause a denial of
service (application crash) via a crafted packet.

epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator
dissector in Wireshark 1.10.x before 1.10.1 does not properly
determine whether there is remaining packet data to process, which
allows remote attackers to cause a denial of service (application
crash) via a crafted packet.

epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator
dissector in Wireshark 1.10.x before 1.10.1 does not properly validate
certain index values, which allows remote attackers to cause a denial
of service (assertion failure and application exit) via a crafted
packet.

goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux
kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android
contributions for MSM devices and other products, relies on user-space
length values for kernel-memory copies of procfs file content, which
allows attackers to gain privileges or cause a denial of service
(memory corruption) via an application that provides crafted values.

Multiple integer overflows in the JPEG engine drivers in the MSM
camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm
Innovation Center (QuIC) Android contributions for MSM devices and
other products, allow attackers to cause a denial of service (system
crash) via a large number of commands in an ioctl call, related to (1)
camera_v1/gemini/msm_gemini_sync.c, (2)
camera_v2/gemini/msm_gemini_sync.c, (3)
camera_v2/jpeg_10/msm_jpeg_sync.c, (4) gemini/msm_gemini_sync.c, (5)
jpeg_10/msm_jpeg_sync.c, and (6) mercury/msm_mercury_sync.c.

J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R
before 12.1R6, 12.1X44 before 12.1X44-D15, 12.1x45 before 12.1X45-D10,
12.2 before 12.2R3, 12.3 before 12.3R2, and 13.1 before 13.1R3 allow
remote attackers to bypass the cross-site request forgery (CSRF)
protection mechanism and hijack the authentication of administrators
for requests that (1) create new administrator accounts or (2) have
other unspecified impacts.

git_http_controller.rb in the redmine_git_hosting plugin for Redmine
allows remote attackers to execute arbitrary commands via shell
metacharacters in (1) the service parameter to info/refs, related to
the get_info_refs function or (2) the reqfile argument to the
file_exists function.

REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain
undocumented syntax within branching logic and calculations, which
allows remote authenticated users to bypass intended access
restrictions via (1) the Online Designer or (2) the Data Dictionary
upload, as demonstrated by an eval call.

Multiple stack-based buffer overflows in
net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when
CONFIG_IP_VS is used, allow local users to gain privileges by
leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system
call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt
system call, related to the do_ip_vs_set_ctl function.

Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in
the Linux kernel before 3.12 allow local users to cause a denial of
service or possibly have unspecified other impact by leveraging the
CAP_NET_ADMIN capability and providing a long station-name string,
related to the (1) wvlan_uil_put_info and (2)
wvlan_set_station_nickname functions.

Multiple integer overflows in Alchemy LCD frame-buffer drivers in the
Linux kernel before 3.12 allow local users to create a read-write
memory mapping for the entirety of kernel memory, and consequently
gain privileges, via crafted mmap operations, related to the (1)
au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2)
au1200fb_fb_mmap function in drivers/video/au1200fb.c.

Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6
does not enforce the password-guessing protection mechanism for all
interfaces, which makes it easier for remote attackers to obtain
access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP
attempts.

Untrusted search path vulnerability in python-paste-script (aka
paster) in Luci 0.26.0, when started using the initscript, allows
local users to gain privileges via a Trojan horse .egg-info file in
the (1) current working directory or (2) its parent directories.

Multiple integer overflows in the th_read function in lib/block.c in
libtar before 1.2.20 allow remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a long (1)
name or (2) link in an archive, which triggers a heap-based buffer
overflow.

The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x
and 4.3.x frees certain memory that may still be intended for use,
which allows local users to cause a denial of service (heap corruption
and crash) and possibly execute arbitrary code via unspecified vectors
that trigger a (1) use-after-free or (2) double free.

systemd does not properly use D-Bus for communication with a polkit
authority, which allows local users to bypass intended access
restrictions by leveraging a PolkitUnixProcess PolkitSubject race
condition via a (1) setuid process or (2) pkexec process, a related
issue to CVE-2013-4288.

RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for
communication with a polkit authority, which allows local users to
bypass intended access restrictions by leveraging a PolkitUnixProcess
PolkitSubject race condition via a (1) setuid process or (2) pkexec
process, a related issue to CVE-2013-4288.

The check_permission_v1 function in base/pkit.py in HP Linux Imaging
and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for
communication with a polkit authority, which allows local users to
bypass intended access restrictions by leveraging a PolkitUnixProcess
PolkitSubject race condition via a (1) setuid process or (2) pkexec
process.

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before
8.0.0-RC10 processes chunked transfer coding without properly handling
(1) a large total amount of chunked data or (2) whitespace characters
in an HTTP header value within a trailer field, which allows remote
attackers to cause a denial of service by streaming data. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-3544.

Race condition in PolicyKit (aka polkit) allows local users to bypass
intended PolicyKit restrictions and gain privileges by starting a
setuid or pkexec process before the authorization check is performed,
related to (1) the polkit_unix_process_new API function, (2) the dbus
API, or (3) the --process (unix-process) option for authorization to
pkcheck.

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before
8.0.0-RC3, when an HTTP connector or AJP connector is used, does not
properly handle certain inconsistent HTTP request headers, which
allows remote attackers to trigger incorrect identification of a
request's length and conduct request-smuggling attacks via (1)
multiple Content-Length headers or (2) a Content-Length header and a
"Transfer-Encoding: chunked" header. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2005-2090.

The policy definition evaluator in Condor 7.5.4, 8.0.0, and earlier
does not properly handle attributes in a (1) PREEMPT, (2) SUSPEND, (3)
CONTINUE, (4) WANT_VACATE, or (5) KILL policy that evaluate to an
Unconfigured, Undefined, or Error state, which allows remote
authenticated users to cause a denial of service (condor_startd exit)
via a crafted job.

Multiple buffer overflows in libtiff before 4.0.3 allow remote
attackers to cause a denial of service (out-of-bounds write) via a
crafted (1) extension block in a GIF image or (2) GIF raster image to
tools/gif2tiff.c or (3) a long filename for a TIFF image to
tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat,
which states that the input cannot exceed the allocated buffer size.

The rsa_verify function in PuTTY before 0.63 (1) does not clear
sensitive process memory after use and (2) does not free certain
structures containing sensitive process memory, which might allow
local users to discover private RSA and DSA keys.

The (1) power and (2) ipmi_boot actions in the HostController in
Foreman before 1.2.2 allow remote attackers to cause a denial of
service (memory consumption) via unspecified input that is converted
to a symbol.

Multiple cross-site scripting (XSS) vulnerabilities in the Scald
module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to
inject arbitrary web script or HTML via the (1) flash_uri, (2)
flash_width, or (3) flash_height in the scald_flash_scald_prerender
function in providers/scald_flash/scald_flash.module; or the (4)
caption in the scald_image_scald_prerender function in
providers/scald_image/scald_image.module.

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0
before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before
revision 43780 allows context-dependent attackers to cause a denial of
service (segmentation fault) and possibly execute arbitrary code via a
string that is converted to a floating point value, as demonstrated
using (1) the to_f method or (2) JSON.parse.

The (1) checkPasswd and (2) checkGroupXlockPasswds functions in
xlockmore before 5.43 do not properly handle when a NULL value is
returned upon an error by the crypt or dispcrypt function as
implemented in glibc 2.17 and later, which allows attackers to bypass
the screen lock via vectors related to invalid salts.

KDE-Workspace 4.10.5 and earlier does not properly handle the return
value of the glibc 2.17 crypt and pw_encrypt functions, which allows
remote attackers to cause a denial of service (NULL pointer
dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5
encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid
password to KCheckPass.

The (1) red_channel_pipes_add_type and (2)
red_channel_pipes_add_empty_msg functions in server/red_channel.c in
SPICE before 0.12.4 do not properly perform ring loops, which might
allow remote attackers to cause a denial of service (reachable
assertion and server exit) by triggering a network error.

The bridge multicast implementation in the Linux kernel through 3.10.3
does not check whether a certain timer is armed before modifying the
timeout value of that timer, which allows local users to cause a
denial of service (BUG and system crash) via vectors involving the
shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and
net/bridge/br_multicast.c.

The SecureSphere Operations Manager (SOM) Management Server in Imperva
SecureSphere 9.0.0.5 allows context-dependent attackers to obtain
sensitive information by leveraging the presence of (1) a session ID
in the jsessionid field to secsphLogin.jsp or (2) credentials in the
j_password parameter to j_acegi_security_check, and reading (a)
web-server access logs, (b) web-server Referer logs, or (c) the
browser history.

epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x
before 1.8.8 does not validate return values during checks for data
availability, which allows remote attackers to cause a denial of
service (application crash) via a crafted packet.

The posix_spawn system call in the XNU kernel in Apple Mac OS X 10.8.x
does not properly validate the data for file actions and port actions,
which allows local users to (1) cause a denial of service (panic) via
a size value that is inconsistent with a header count field, or (2)
obtain sensitive information from kernel heap memory via a certain
size value in conjunction with a crafted buffer.

Multiple cross-site request forgery (CSRF) vulnerabilities in Kasseler
CMS before 2 r1232 allow remote attackers to hijack the authentication
of administrators for requests that conduct SQL injection attacks via
the (1) groups[] parameter in a send action in the sendmail module or
(2) query parameter in a sql_query action in the database module to
admin.php, related to CVE-2013-3727.

Multiple integer signedness errors in the tvb_unmasked function in
epan/dissectors/packet-websocket.c in the Websocket dissector in
Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial
of service (application crash) via a malformed packet.

Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow
remote attackers to cause a denial of service (loop or application
crash) via a malformed packet, related to a crash of the Websocket
dissector, an infinite loop in the MySQL dissector, and a large loop
in the ETCH dissector.

Memory leak in Cisco Unified Communications Manager IM and Presence
Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified
Presence, allows remote attackers to cause a denial of service (memory
and CPU consumption) by making many TCP connections to port (1) 5060
or (2) 5061, aka Bug ID CSCud84959.

The management GUI in the web framework in IronPort AsyncOS on Cisco
Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838,
and 7.7 before 7.7.0-602; Email Security Appliance devices before
7.1.5-106 and 7.3, 7.5, and 7.6 before 7.6.3-019; and Content Security
Management Appliance devices before 7.9.1-102 and 8.0 before 8.0.0-404
allows remote attackers to cause a denial of service (system hang) via
a series of (1) HTTP or (2) HTTPS requests to a management interface,
aka Bug IDs CSCzv58669, CSCzv63329, and CSCzv78669.

The ftrace implementation in the Linux kernel before 3.8.8 allows
local users to cause a denial of service (NULL pointer dereference and
system crash) or possibly have unspecified other impact by leveraging
the CAP_SYS_ADMIN capability for write access to the (1)
set_ftrace_pid or (2) set_graph_function file, and then making an
lseek system call.

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
directory is configured, allows remote authenticated users to execute
arbitrary code by using a double extension in the filename of an
export file, leading to interpretation of this file as an executable
file by the Apache HTTP Server, as demonstrated by a .php.sql
filename.

Multiple cross-site request forgery (CSRF) vulnerabilities in TRENDnet
TEW-812DRU router with firmware before 1.0.9.0 allow remote attackers
to hijack the authentication of administrators for requests that (1)
change admin credentials in a request to setSysAdm.cgi, (2) enable
remote management or (3) enable port forwarding in an Apply action to
uapply.cgi, or (4) have unspecified impact via a request to
setNTP.cgi. NOTE: some of these details are obtained from third party
information.

Multiple integer overflows in the IP_MSFILTER and IPV6_MSFILTER
features in (1) sys/netinet/in_mcast.c and (2)
sys/netinet6/in6_mcast.c in the multicast implementation in the kernel
in FreeBSD 8.3 through 9.2-PRERELEASE allow local users to bypass
intended restrictions on kernel-memory read and write operations, and
consequently gain privileges, via vectors involving a large number of
source-filter entries.

The Linux kernel before 3.12.2 does not properly use the get_dumpable
function, which allows local users to bypass intended ptrace
restrictions or obtain sensitive information from IA64 scratch
registers via a crafted application, related to kernel/ptrace.c and
arch/ia64/include/asm/processor.h.

Multiple race conditions in the Web Audio implementation in Blink, as
used in Google Chrome before 30.0.1599.66, allow remote attackers to
cause a denial of service or possibly have unspecified other impact
via vectors related to threading in core/html/HTMLMediaElement.cpp,
core/platform/audio/AudioDSPKernelProcessor.cpp,
core/platform/audio/HRTFElevation.cpp, and
modules/webaudio/ConvolverNode.cpp.

Use-after-free vulnerability in the
HTMLMediaElement::didMoveToNewDocument function in
core/html/HTMLMediaElement.cpp in Blink, as used in Google Chrome
before 29.0.1547.57, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors
involving moving a (1) AUDIO or (2) VIDEO element between documents.

Use-after-free vulnerability in the XSLT ProcessingInstruction
implementation in Blink, as used in Google Chrome before 29.0.1547.57,
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to an applyXSLTransform
call involving (1) an HTML document or (2) an
xsl:processing-instruction element that is still in the process of
loading.

Multiple integer overflows in (1) libGLESv2/renderer/Renderer9.cpp and
(2) libGLESv2/renderer/Renderer11.cpp in Almost Native Graphics Layer
Engine (ANGLE), as used in Google Chrome before 29.0.1547.57, allow
remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors.

Multiple array index errors in drivers/hid/hid-multitouch.c in the
Human Interface Device (HID) subsystem in the Linux kernel through
3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically
proximate attackers to cause a denial of service (heap memory
corruption, or NULL pointer dereference and OOPS) via a crafted
device.

drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in
the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled,
allows physically proximate attackers to cause a denial of service
(heap-based out-of-bounds write) via a crafted device.

parser.c in libxml2 before 2.9.0, as used in Google Chrome before
28.0.1500.71 and other products, allows remote attackers to cause a
denial of service (out-of-bounds read) via a document that ends
abruptly, related to the lack of certain checks for the XML_PARSER_EOF
state.

The Web Audio implementation in Google Chrome before 27.0.1453.93
allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via unknown
vectors.

Multiple unspecified vulnerabilities in the System Management (aka
SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM)
through 9.2 have unknown impact and attack vectors, a different issue
than CVE-2013-0935. NOTE: this might overlap CVEs for open-source
server components or other third-party components.

The dissect_server_info function in epan/dissectors/packet-ms-mms.c in
the MS-MMS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before
1.8.6 does not properly manage string lengths, which allows remote
attackers to cause a denial of service (application crash) via a
malformed packet that (1) triggers an integer overflow or (2) has
embedded '\0' characters in a string.

vzkernel before 042stab080.2 in the OpenVZ modification for the Linux
kernel 2.6.32 does not initialize certain length variables, which
allows local users to obtain sensitive information from kernel stack
memory via (1) a crafted ploop driver ioctl call, related to the
ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a
crafted quotactl system call, related to the compat_quotactl function
in fs/quota/quota.c.

Multiple buffer overflows in the switch_perform_substitution function
in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via
vectors related to the index and substituted variables.

The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions
in net/key/af_key.c in the Linux kernel before 3.10 do not initialize
certain structure members, which allows local users to obtain
sensitive information from kernel heap memory by reading a broadcast
message from the notify interface of an IPSec key_socket.

status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does
not properly restrict access to certain users that are a contact for a
service, which allows remote authenticated users to obtain sensitive
information about hostnames via the servicegroup (1) overview, (2)
summary, or (3) grid style in status.cgi. NOTE: this behavior is by
design in most 3.x versions, but the upstream vendor "decided to
change it for Nagios 4" and 3.5.1.

X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing
authentication using certain implementations of the crypt API function
that can return NULL, allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) by attempting to log into
an account whose password field contains invalid characters, as
demonstrated using the crypt function from glibc 2.17 and later with
(1) the "!" character in the salt portion of a password field or (2) a
password that has been encrypted using DES or MD5 in FIPS-140 mode.

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x
before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause
a denial of service (CPU and memory consumption) via crafted XML with
a large number of (1) elements, (2) attributes, (3) nested constructs,
and possibly other vectors.

Apache Santuario XML Security for C++ (aka xml-security-c) before
1.7.1 does not properly validate length values, which allows remote
attackers to cause a denial of service or bypass the CVE-2009-0217
protection mechanism and spoof a signature via crafted length values
to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault,
or (3) DSIGAlgorithmHandlerDefault::verify functions.

The HP Smart Array controller disk-array driver and Compaq SMART2
controller disk-array driver in the Linux kernel through 3.9.4 do not
initialize certain data structures, which allows local users to obtain
sensitive information from kernel memory via (1) a crafted
IDAGETPCIINFO command for a /dev/ida device, related to the
ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted
CCISS_PASSTHRU32 command for a /dev/cciss device, related to the
cciss_ioctl32_passthru function in drivers/block/cciss.c.

The do_tkill function in kernel/signal.c in the Linux kernel before
3.8.9 does not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel memory via a crafted
application that makes a (1) tkill or (2) tgkill system call.

The dispatch_discard_io function in
drivers/block/xen-blkback/blkback.c in the Xen blkback implementation
in the Linux kernel before 3.10.5 allows guest OS users to cause a
denial of service (data loss) via filesystem write operations on a
read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or
TRIM) or (2) SCSI UNMAP feature.

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute
arbitrary OGNL code via a request with a crafted value that contains
both "${}" and "%{}" sequences, which causes the OGNL code to be
evaluated twice.

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute
arbitrary OGNL code via a request with a crafted action name that is
not properly handled during wildcard matching, a different
vulnerability than CVE-2013-2135.

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute
arbitrary OGNL code via a crafted request that is not properly handled
when using the includeParams attribute in the (1) URL or (2) A tag.
NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

The create method in app/controllers/users_controller.rb in Foreman
before 1.2.0-RC2 allows remote authenticated users with permissions to
create or edit other users to gain privileges by (1) changing the
admin flag or (2) assigning an arbitrary role.

python-keystoneclient before 0.2.4, as used in OpenStack Keystone
(Folsom), does not properly check expiry for PKI tokens, which allows
remote authenticated users to (1) retain use of a token after it has
expired, or (2) use a revoked token once it expires.

The NMEA0183 driver in gpsd before 3.9 allows remote attackers to
cause a denial of service (daemon termination) and possibly execute
arbitrary code via a GPS packet with a malformed $GPGGA interpreted
sentence that lacks certain fields and a terminator. NOTE: a separate
issue in the AIS driver was also reported, but it might not be a
vulnerability.

X.org libXt 1.1.3 and earlier does not check the return value of the
XGetWindowProperty function, which allows X servers to trigger use of
an uninitialized pointer and memory corruption via vectors related to
the (1) ReqCleanup, (2) HandleSelectionEvents, (3) ReqTimedOut, (4)
HandleNormal, and (5) HandleSelectionReplies functions.

The (1) GetDatabase and (2) _XimParseStringFile functions in X.org
libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion
depth when processing directives to include files, which allows X
servers to cause a denial of service (stack consumption) via a crafted
file.

Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly
other versions might allow context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via
vectors related to the (1) htmlParseChunk and (2) xmldecl_done
functions, as demonstrated by a buffer overflow in the
xmlBufGetInputBase function.

Apache Struts 2 before 2.3.14.1 allows remote attackers to execute
arbitrary OGNL code via a crafted request that is not properly handled
when using the includeParams attribute in the (1) URL or (2) A tag.

The ActiveSupport::XmlMini_JDOM backend in
lib/active_support/xml_mini/jdom.rb in the Active Support component in
Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13,
when JRuby is used, does not properly restrict the capabilities of the
XML parser, which allows remote attackers to read arbitrary files or
cause a denial of service (resource consumption) via vectors involving
(1) an external DTD or (2) an external entity declaration in
conjunction with an entity reference.

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.

net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to
gain privileges or cause a denial of service (NULL pointer dereference
and system crash) by leveraging the CAP_NET_ADMIN capability for a
certain (1) sender or (2) receiver getsockopt call.

Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel
through 3.8.4 allows guest OS users to cause a denial of service (host
OS memory corruption) or possibly have unspecified other impact via a
crafted application that triggers use of a guest physical address
(GPA) in (1) movable or (2) removable memory during an
MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.

Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in
Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1
allow remote attackers to inject arbitrary web script or HTML via a
field value that is not properly handled during construction of a
tabular report, as demonstrated by the (1) summary or (2) real name
field. NOTE: this issue exists because of an incomplete fix for
CVE-2012-4189.

Multiple untrusted search path vulnerabilities in the (1) full
installer and (2) stub installer in Mozilla Firefox before 23.0 on
Windows allow local users to gain privileges via a Trojan horse DLL in
the default downloads directory. NOTE: this issue exists because of an
incomplete fix for CVE-2012-4206.

The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox
ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR
17.x before 17.0.7 does not properly restrict use of DefaultValue for
method calls, which allows remote attackers to execute arbitrary
JavaScript code with chrome privileges via a crafted web site that
triggers use of a user-defined (1) toString or (2) valueOf method.

Multiple buffer overflows in the dissect_pft_fec_detailed function in
the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in
Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote
attackers to cause a denial of service (application crash) via a
malformed packet.

epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5
does not properly validate certain length values for the MS-MMC
dissector, which allows remote attackers to cause a denial of service
(application crash) via a malformed packet.

The color management (CMM) functionality in the 2D component in Oracle
Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0
Update 40 and earlier allows remote attackers to execute arbitrary
code or cause a denial of service (crash) via an image with crafted
raster parameters, which triggers (1) an out-of-bounds read or (2)
memory corruption in the JVM, as exploited in the wild in February
2013.

Multiple cross-site scripting (XSS) vulnerabilities in
admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMail
Identity-Based Encryption (IBE) appliances allow user-assisted remote
attackers to inject arbitrary web script or HTML via (1) the Add field
for the Black List under Antispam Management User Preferences or (2)
the User name field for the Personal Black/White List in the AntiSpam
section.

Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in
libraw, ufraw, shotwell, and other products, allows context-dependent
attackers to cause a denial of service via a crafted photo file that
triggers a (1) divide-by-zero, (2) infinite loop, or (3) NULL pointer
dereference.

Microsoft Internet Explorer 8 does not properly handle objects in
memory, which allows remote attackers to execute arbitrary code by
accessing an object that (1) was not properly allocated or (2) is
deleted, as exploited in the wild in May 2013.

The Cisco Small Business 200 Series Smart Switch 1.2.7.76 and earlier,
Small Business 300 Series Managed Switch 1.2.7.76 and earlier, and
Small Business 500 Series Stackable Managed Switch 1.2.7.76 and
earlier allow remote attackers to cause a denial of service (SSL/TLS
layer outage) via malformed (1) SSH or (2) SSL packets, aka Bug ID
CSCua30246.

Multiple cross-site request forgery (CSRF) vulnerabilities in the
server in Cisco Unified MeetingPlace before 7.1(2.2000) allow remote
attackers to hijack the authentication of unspecified victims via
unknown vectors, aka Bug ID CSCuc64903. NOTE: some of these details
are obtained from third party information.

language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1, and
0.79.x before 0.79.4 does not properly use D-Bus for communication
with a polkit authority, which allows local users to bypass intended
access restrictions by leveraging a PolkitUnixProcess PolkitSubject
race condition via a (1) setuid process or (2) pkexec process, a
related issue to CVE-2013-4288.

backend.py in Jockey before 0.9.7-0ubuntu7.11 does not properly use
D-Bus for communication with a polkit authority, which allows local
users to bypass intended access restrictions by leveraging a
PolkitUnixProcess PolkitSubject race condition via a (1) setuid
process or (2) pkexec process, a related issue to CVE-2013-4288.

apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and
0.44ubuntu5.1 does not properly use D-Bus for communication with a
polkit authority, which allows local users to bypass intended access
restrictions by leveraging a PolkitUnixProcess PolkitSubject race
condition via a (1) setuid process or (2) pkexec process, a related
issue to CVE-2013-4288.

usb-creator 0.2.47 before 0.2.47.1, 0.2.40 before 0.2.40ubuntu2, and
0.2.38 before 0.2.38.2 does not properly use D-Bus for communication
with a polkit authority, which allows local users to bypass intended
access restrictions by leveraging a PolkitUnixProcess PolkitSubject
race condition via a (1) setuid process or (2) pkexec process, a
related issue to CVE-2013-4288.

ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and
0.2.2 before 0.2.2.1 does not properly use D-Bus for communication
with a polkit authority, which allows local users to bypass intended
access restrictions by leveraging a PolkitUnixProcess PolkitSubject
race condition via a (1) setuid process or (2) pkexec process, a
related issue to CVE-2013-4288.

dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before
0.92.17.3, 0.92.9 before 0.92.9.3, and 0.82.7 before 0.82.7.5 does not
properly use D-Bus for communication with a polkit authority, which
allows local users to bypass intended access restrictions by
leveraging a PolkitUnixProcess PolkitSubject race condition via a (1)
setuid process or (2) pkexec process, a related issue to
CVE-2013-4288.

Multiple unspecified vulnerabilities in the IPC layer in Google Chrome
before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on
Mac OS X, allow remote attackers to cause a denial of service or
possibly have other impact via unknown vectors.

Multiple unspecified vulnerabilities in the IPC layer in Google Chrome
before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on
Mac OS X, allow remote attackers to cause a denial of service (memory
corruption) or possibly have other impact via unknown vectors.

The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c
in FFmpeg before 1.1.3 allow remote attackers to have an unspecified
impact via a crafted TIFF image, related to an out-of-bounds array
access.

The swr_init function in libswresample/swresample.c in FFmpeg before
1.1.3 allows remote attackers to have an unspecified impact via an
invalid or unsupported (1) input or (2) output channel layout, related
to an out-of-bounds array access.

The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.

The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via a
crafted (1) width or (2) height dimension that is not a multiple of
sixteen in id RoQ video data.

Integer signedness error in the pixman_fill_sse2 function in
pixman-sse2.c in Pixman, as distributed with Cairo and used in Mozilla
Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird
before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before
2.17, and other products, allows remote attackers to execute arbitrary
code via crafted values that trigger attempted use of a (1) negative
box boundary or (2) negative box size, leading to an out-of-bounds
write operation.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 20.0 and SeaMonkey before 2.17 allow remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via vectors related to the
nsContentUtils::HoldJSObjects function and the nsAutoPtr class, and
other vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before
17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12
and 17.x before 17.0.1, and SeaMonkey before 2.15 allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown
vectors.

Multiple untrusted search path vulnerabilities in Global Mapper 14.1.0
allow local users to gain privileges via a Trojan horse (1) dwmapi.dll
or (2) ibfs32.dll file in the current working directory, as
demonstrated by a directory that contains a .gmc, .gmg, .gmp, .gms,
.gmw, or .opt file.

Multiple buffer overflows in IBM Tivoli Netcool System Service
Monitors (SSM) and Application Service Monitors (ASM) 4.0.0 before
FP14 and 4.0.1 before FP1 allow context-dependent attackers to execute
arbitrary code or cause a denial of service via a long line in (1)
hrfstable.idx, (2) hrdevice.idx, (3) hrstorage.idx, or (4)
lotusmapfile in the SSM Config directory, or (5) .manifest.hive in the
main agent directory.

IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.2.0 does not
properly handle device files that are created with the NFS protocol
but accessed with a non-NFS protocol, which allows remote
authenticated users to obtain sensitive information, modify programs
or files, or cause a denial of service (device crash) via a (1) CIFS,
(2) HTTPS, (3) SCP, or (4) SFTP operation.

The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the
IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1
and possibly other products, does not properly enforce CIFS share
attributes, which allows remote authenticated users to (1) write to a
read-only share; (2) trigger data-integrity problems related to the
oplock, locking, coherency, or leases attribute; or (3) have an
unspecified impact by leveraging incorrect handling of the browseable
or "hide unreadable" parameter.

arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when
transparent huge pages are used, does not properly support PROT_NONE
memory regions, which allows local users to cause a denial of service
(system crash) via a crafted application.

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before
1.0.3 for Ruby does not properly restrict casts of string values,
which allows remote attackers to conduct object-injection attacks and
execute arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion, a similar vulnerability to CVE-2013-0156.

The SUSE coreutils-i18n.patch for GNU coreutils allows
context-dependent attackers to cause a denial of service (segmentation
fault and crash) via a long string to the sort command, when using the
(1) -d or (2) -M switch, which triggers a stack-based buffer overflow
in the alloca function.

The (1) sss_autofs_cmd_getautomntent and (2)
sss_autofs_cmd_getautomntbyname function in
responder/autofs/autofssrv_cmd.c and the (3) ssh_cmd_parse_request
function in responder/ssh/sshsrv_cmd.c in System Security Services
Daemon (SSSD) before 1.9.4 allow remote attackers to cause a denial of
service (out-of-bounds read, crash, and restart) via a crafted SSSD
packet.

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and
possibly other products, does not properly restrict casts of string
values, which allows remote attackers to conduct object-injection
attacks and execute arbitrary code, or cause a denial of service
(memory and CPU consumption) involving nested XML entity references,
by leveraging support for (1) YAML type conversion or (2) Symbol type
conversion, a similar vulnerability to CVE-2013-0156.

Samba 4.0.x before 4.0.1, in certain Active Directory
domain-controller configurations, does not properly interpret Access
Control Entries that are based on an objectClass, which allows remote
authenticated users to bypass intended restrictions on modifying LDAP
directory objects by leveraging (1) objectClass access by a user, (2)
objectClass access by a group, or (3) write access to an attribute.

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d
does not properly perform signature verification for OCSP responses,
which allows remote OCSP servers to cause a denial of service (NULL
pointer dereference and application crash) via an invalid key.

(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably
other versions allow local users to determine the existence of
restricted directories by (1) using the --guess-fstype command-line
option or (2) attempting to mount a non-existent device, which
generates different error messages depending on whether the directory
exists.

active_support/core_ext/hash/conversions.rb in Ruby on Rails before
2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
3.2.11 does not properly restrict casts of string values, which allows
remote attackers to conduct object-injection attacks and execute
arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion.

Multiple directory traversal vulnerabilities in the EditDocument
servlet in the Frontend in Mutiny before 5.0-1.11 allow remote
authenticated users to upload and execute arbitrary programs, read
arbitrary files, or cause a denial of service (file deletion or
renaming) via (1) the uploadPath parameter in an UPLOAD operation; the
paths[] parameter in a (2) DELETE, (3) CUT, or (4) COPY operation; or
the newPath parameter in a (5) CUT or (6) COPY operation.

The sock_setsockopt function in net/core/sock.c in the Linux kernel
before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf,
which allows local users to cause a denial of service (memory
corruption and system crash) or possibly have unspecified other impact
by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt
system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.

GE Healthcare Centricity PACS 4.0 Server has a default password of (1)
nasro for the nasro (ReadOnly) user and (2) nasrw for the nasrw
(Read/Write) user, which has unspecified impact and attack vectors.

Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4
allows remote attackers to read arbitrary files via a .. (dot dot) in
the file parameter, a different vulnerability than CVE-2012-1669.
NOTE: the provenance of this information is unknown; the details are
obtained solely from third party information. NOTE: this issue might
have been fixed in 1.0.3.

GE Healthcare Precision MPi has a password of (1) orion for the
serviceapp user, (2) orion for the clinical operator user, and (3)
PlatinumOne for the administrator user, which has unspecified impact
and attack vectors. NOTE: it is not clear whether these passwords are
default, hardcoded, or dependent on another system or product that
requires a fixed value.

Multiple cross-site scripting (XSS) vulnerabilities in Vessio NetBill
1.2 allow remote attackers to inject arbitrary web script or HTML via
the (1) full name or (2) file title to accounts/admin/index.php or (3)
comment parameter in the support page to accounts/index2.php.

Multiple cross-site scripting (XSS) vulnerabilities in the
FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers
to inject arbitrary web script or HTML via the (1) User/FirstName or
(2) User/LastName parameter to the edit user page. NOTE: some of these
details are obtained from third party information.

The ATM implementation in the Linux kernel before 3.6 does not
initialize certain structures, which allows local users to obtain
sensitive information from kernel stack memory via a crafted
application.

The Bluetooth RFCOMM implementation in the Linux kernel before 3.6
does not properly initialize certain structures, which allows local
users to obtain sensitive information from kernel memory via a crafted
application.

The Bluetooth protocol stack in the Linux kernel before 3.6 does not
properly initialize certain structures, which allows local users to
obtain sensitive information from kernel stack memory via a crafted
application that targets the (1) L2CAP or (2) HCI implementation.

net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not
initialize certain structures, which allows local users to obtain
sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability.

net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify
that the actual Netlink message length is consistent with a certain
header field, which allows local users to obtain sensitive information
from kernel heap memory by leveraging the CAP_NET_ADMIN capability and
providing a (1) new or (2) updated state.

Multiple SQL injection vulnerabilities in the advanced search in
Wikidforum 2.10 allow remote attackers to execute arbitrary SQL
commands via the (1) select_sort or (2) opt_search_select parameters.
NOTE: this issue could not be reproduced by third parties.

Multiple cross-site scripting (XSS) vulnerabilities in NetArt Media
Car Portal 3.0 allow remote attackers to inject arbitrary web script
or HTML via the (1) PWRS or (2) Description field when posting a new
vehicle; (3) news title when creating news; (4) Name when creating a
sub user; (5) group name when creating a group; or (6) dealer name,
(7) first name, or (8) last name when changing a profile.

Opera before 12.10 follows Internet shortcuts that are referenced by a
(1) IMG element or (2) other inline element, which makes it easier for
remote attackers to conduct phishing attacks via a crafted web site,
as exploited in the wild in November 2012.

Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10
establishes multiple hardcoded accounts, which makes it easier for
remote attackers to obtain administrative access by reading a password
in a PHP script, a similar issue to CVE-2012-5862.

Multiple stack-based buffer overflows in http.c in OpenConnect before
4.08 allow remote VPN gateways to cause a denial of service
(application crash) via a long (1) hostname, (2) path, or (3) cookie
list in a response.

Multiple cross-site request forgery (CSRF) vulnerabilities in
user/messageselect.php in the messaging system in Moodle 2.2.x before
2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote
attackers to hijack the authentication of arbitrary users for requests
that send course messages.

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows
local users to modify the ownership of arbitrary files via a race
condition and a symlink attack on the (1) MKD or (2) XMKD commands.

Multiple stack-based buffer overflows in the expand function in
os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted filename.

Multiple stack-based buffer overflows in the canoniseFileName function
in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted filename.

The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not
require authentication, which allows remote attackers to (1) execute
commands via the command-line interface in the TCP listener service or
(2) transfer files via requests to the TCP listener service.

The dissect_rtcp_app function in epan/dissectors/packet-rtcp.c in the
RTCP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4
allows remote attackers to cause a denial of service (infinite loop)
via a crafted packet.

epan/dissectors/packet-3g-a11.c in the 3GPP2 A11 dissector in
Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial
of service (infinite loop) via a zero value in a sub-type length
field.

Open Solution Quick.Cart 5.0 allows remote attackers to obtain
sensitive information via (1) a long string or (2) invalid characters
in a cookie, which reveals the installation path in an error message.

admin/core/admin_func.php in razorCMS before 1.2.1 does not properly
restrict access to certain administrator directories and files, which
allows remote authenticated users to read, edit, rename, move, copy
and delete files via the (1) dir parameter in a fileman or (2)
filemanview action. NOTE: this issue has been referred to as a "path
traversal."

Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x
before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2,
allow remote attackers to inject arbitrary web script or HTML via a
CSV header with "unknown fields," which are not properly handled in
error messages in the (1) bulk user, (2) group, and (3) group member
upload capabilities. NOTE: this issue was originally part of
CVE-2012-2243, but that ID was SPLIT due to different issues by
different researchers.

The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3)
tmemc_restore_flush_page functions in the Transcendent Memory (TMEM)
in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which
allows local guest OS users to cause a denial of service (memory
corruption and host crash) or possibly execute arbitrary code via
unspecified vectors. NOTE: this issue was originally published as part
of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT
into this ID and others.

The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv
functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the
Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check
incoming guest output buffer pointers," which allows local guest OS
users to cause a denial of service (memory corruption and host crash)
or execute arbitrary code via unspecified vectors. NOTE: this issue
was originally published as part of CVE-2012-3497, which was too
general; CVE-2012-3497 has been SPLIT into this ID and others.

Multiple integer overflows in the (1) tmh_copy_from_client and (2)
tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen
4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of
service (memory corruption and host crash) via unspecified vectors.
NOTE: this issue was originally published as part of CVE-2012-3497,
which was too general; CVE-2012-3497 has been SPLIT into this ID and
others.

The (1) SimpleTree and (2) ReportTree classes in the ARDoc ActiveX
control (ARDoc.dll) in Quest InTrust 10.4.0.853 and earlier do not
properly implement the SaveToFile method, which allows remote
attackers to write or overwrite arbitrary files via the bstrFileName
argument.

Multiple off-by-one errors in NMMediaServerService.dll in Nero
MediaHome 4.5.8.0 and earlier allow remote attackers to cause a denial
of service (crash) via a long string in the (1) request line or (2)
HTTP Referer header to TCP port 54444, which triggers a heap-based
buffer overflow.

The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and
2.1.0.0 through 2.1.0.2, when a collective configuration is enabled,
has a single secret key that is shared across different customers'
installations, which allows remote attackers to spoof a container
server by (1) sniffing the network to locate a cleartext transmission
of this key or (2) leveraging knowledge of this key from another
installation.

Multiple SQL injection vulnerabilities in dotProject before 2.1.7
allow remote authenticated administrators to execute arbitrary SQL
commands via the (1) search_string or (2) where parameter in a
contacts action, (3) dept_id parameter in a departments action, (4)
project_id[] parameter in a project action, or (5) company_id
parameter in a system action to index.php. NOTE: this can be leveraged
using CSRF to allow remote attackers to execute arbitrary SQL
commands.

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly
Citrix CloudStack) before 3.0.6 stores sensitive information in the
log4j.conf log file, which allows local users to obtain (1) the SSH
private key as recorded by the createSSHKeyPair API, (2) the password
of an added host as recorded by the AddHost API, or the password of an
added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM
API.

** DISPUTED **
MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and
possibly other versions, when configured to assign the FILE privilege
to users who should not have administrative privileges, allows remote
authenticated users to gain privileges by leveraging the FILE
privilege to create files as the MySQL administrator. NOTE: the vendor
disputes this issue, stating that this is only a vulnerability when
the administrator does not follow recommendations in the product's
installation documentation. NOTE: it could be argued that this should
not be included in CVE because it is a configuration issue.

CGI.pm module before 3.63 for Perl does not properly escape newlines
in (1) Set-Cookie or (2) P3P headers, which might allow remote
attackers to inject arbitrary headers into responses from applications
that use CGI.pm.

The send_to_sourcefire function in manage_sql.c in OpenVAS Manager 3.x
before 3.0.4 allows remote attackers to execute arbitrary commands via
the (1) IP address or (2) port number field in an OMP request.

Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi
before 2.1.0.3974 allow remote attackers to cause a denial of service
(tvMobiliService service crash) via a long string in a (1) GET or (2)
HEAD request to TCP port 30888.

Multiple buffer overflows in the Pdf Printer Preferences ActiveX
Control in pdfxctrl.dll in Tracker Software PDF-XChange 3.60.0128
allow remote attackers to execute arbitrary code via a long string in
the (1) sub_path parameter to the StoreInRegistry function or (2)
sub_key parameter to the InitFromRegistry function.

Adobe Flash Player before 10.3.183.43 and 11.x before 11.5.502.110 on
Windows and Mac OS X, before 10.3.183.43 and 11.x before 11.2.202.251
on Linux, before 11.1.111.24 on Android 2.x and 3.x, and before
11.1.115.27 on Android 4.x; Adobe AIR before 3.5.0.600; and Adobe AIR
SDK before 3.5.0.600 allow attackers to execute arbitrary code or
cause a denial of service (memory corruption) via unspecified vectors.

epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x
before 1.8.3 uses incorrect OUI data structures during the decoding of
(1) PPP and (2) LCP data, which allows remote attackers to cause a
denial of service (assertion failure and application exit) via a
malformed packet.

miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP
code via a crafted (1) pagename or (2) area variable containing an
executable extension, which is not properly handled by (a) update.php
when writing files to content/, or (b) updatenews.php when writing
files to content/news/.

Google Chrome before 23.0.1271.64 on Mac OS X does not properly
mitigate improper write behavior in graphics drivers, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors that trigger "wild
writes."

Cisco IOS before 15.1(2)SY allows remote authenticated users to cause
a denial of service (device crash) by establishing an SSH session from
a client and then placing this client into a (1) slow or (2) idle
state, aka Bug ID CSCto87436.

Mercury MR804 Router 8.0 3.8.1 Build 101220 Rel.53006nB allows remote
attackers to cause a denial of service (service hang) via a crafted
string in HTTP header fields such as (1) If-Modified-Since, (2)
If-None-Match, or (3) If-Unmodified-Since. NOTE: some of these details
are obtained from third party information.

Multiple directory traversal vulnerabilities in the View Log Files
component in Axigen Free Mail Server allow remote attackers to read or
delete arbitrary files via a .. (dot dot) in (1) the fileName
parameter in a download action to source/loggin/page_log_dwn_file.hsp,
or the fileName parameter in (2) an edit action or (3) a delete action
to the default URI.

The rtrlet web application in the Web Console in Novell ZENworks Asset
Management (ZAM) 7.5 uses a hard-coded username of Ivanhoe and a
hard-coded password of Scott for the (1) GetFile_Password and (2)
GetConfigInfo_Password operations, which allows remote attackers to
obtain sensitive information via a crafted rtrlet/rtr request for the
HandleMaintenanceCalls function.

Multiple SQL injection vulnerabilities in approve.php in Img Pals
Photo Host 1.0 allow remote attackers to execute arbitrary SQL
commands via the u parameter in a (1) app0 or (2) app1 action. NOTE:
the provenance of this information is unknown; the details are
obtained solely from third party information.

Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS
2012-03.08 and earlier allow remote attackers to inject arbitrary web
script or HTML via the (1) title_en, (2) summary_en, or (3) body_en
parameter in a submitnews action to the news module, a different
vulnerability than CVE-2012-4890. NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information.

Cross-site scripting (XSS) vulnerability in fw/index2.do in
ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject
arbitrary web script or HTML via the url parameter, a different vector
than CVE-2012-4889. NOTE: the provenance of this information is
unknown; the details are obtained solely from third party information.

Multiple untrusted search path vulnerabilities in 3DVIA Composer
V6R2012 HF1 Build 6.8.1.1652 allow local users to gain privileges via
a Trojan horse (1) dwmapi.dll or (2) ibfs32.dll file in the current
working directory, as demonstrated by a directory that contains a .smg
file. NOTE: the provenance of this information is unknown; the details
are obtained solely from third party information.

Multiple untrusted search path vulnerabilities in 3D XML Player
6.212.13.12076 allow local users to gain privileges via a Trojan horse
(1) dwmapi.dll or (2) JT0DevPhase.dll file in the current working
directory, as demonstrated by a directory that contains a .3dx file.
NOTE: the provenance of this information is unknown; the details are
obtained solely from third party information.

Multiple untrusted search path vulnerabilities in DVD Architect Pro
5.2 Build 133 and DVD Architect Studio 5.0 Build 156 allow local users
to gain privileges via a Trojan horse (1) enc_mp2v.200 or (2)
CFHDDecoder.dll file in the current working directory, as demonstrated
by a directory that contains a .dar file. NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information.

The Linux Console on the WAGO I/O System 758 model 758-870, 758-874,
758-875, and 758-876 Industrial PC (IPC) devices has a default
password of wago for the (1) root and (2) admin accounts, (3) a
default password of user for the user account, and (4) a default
password of guest for the guest account, which makes it easier for
remote attackers to obtain login access via a TELNET session, a
different vulnerability than CVE-2012-3013.

Use-after-free vulnerability in Microsoft Internet Explorer 6 through
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to an object that (1) was not properly
allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object,
and exploited in the wild in December 2012.

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10
allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to an object that (1) was not properly
initialized or (2) is deleted, aka "Improper Ref Counting Use After
Free Vulnerability."

Multiple untrusted search path vulnerabilities in CyberLink
PowerProducer 5.5.3.2325 allow local users to gain privileges via a
Trojan horse (1) mfc71loc.dll or (2) mfc71enu.dll file in the current
working directory, as demonstrated by a directory that contains a .ppp
or .rdf file. NOTE: the provenance of this information is unknown; the
details are obtained solely from third party information.

Multiple untrusted search path vulnerabilities in CyberLink
StreamAuthor 4.0 build 3308 allow local users to gain privileges via a
Trojan horse (1) mfc71loc.dll or (2) mfc71enu.dll file in the current
working directory, as demonstrated by a directory that contains a .sta
or .stp file. NOTE: the provenance of this information is unknown; the
details are obtained solely from third party information.

Multiple untrusted search path vulnerabilities in CyberLink LabelPrint
2.5.3602 allow local users to gain privileges via a Trojan horse (1)
mfc71loc.dll or (2) mfc71enu.dll file in the current working
directory, as demonstrated by a directory that contains a .lpp file.
NOTE: the provenance of this information is unknown; the details are
obtained solely from third party information.

Multiple untrusted search path vulnerabilities in MindManager 2012
10.0.493 allow local users to gain privileges via a Trojan horse (1)
ssgp.dll or (2) dwmapi.dll file in the current working directory, as
demonstrated by a directory that contains a .mmap file. NOTE: some of
these details are obtained from third party information.

N-Tron 702-W Industrial Wireless Access Point devices use the same (1)
SSH and (2) HTTPS private keys across different customers'
installations, which makes it easier for remote attackers to defeat
cryptographic protection mechanisms by leveraging knowledge of a key.

Moxa EDR-G903 series routers with firmware before 2.11 do not use a
sufficient source of entropy for (1) SSH and (2) SSL keys, which makes
it easier for man-in-the-middle attackers to spoof a device or modify
a client-server data stream by leveraging knowledge of a key from a
product installation elsewhere.

Multiple vulnerabilities in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 6 and earlier allow remote
attackers to execute arbitrary code via a crafted applet that bypasses
SecurityManager restrictions by (1) using
com.sun.beans.finder.ClassFinder.findClass and leveraging an exception
with the forName method to access restricted classes from arbitrary
packages such as sun.awt.SunToolkit, then (2) using "reflection with a
trusted immediate caller" to leverage the getField method to access
and modify private fields, as exploited in the wild in August 2012
using Gondzz.class and Gondvv.class.

The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and
earlier allows local users to delete arbitrary files by constructing a
(1) symlink or (2) hard link, a different vulnerability than
CVE-2012-3485.

Tigase XMPP Server before 5.1.0 does not verify that a request was
made for an XMPP Server Dialback response, which allows remote XMPP
servers to spoof domains via a (1) Verify Response or (2)
Authorization Response.

Multiple cross-site scripting (XSS) vulnerabilities in the
balancer_handler function in the manager interface in
mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache
HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow
remote attackers to inject arbitrary web script or HTML via a crafted
string.

The PV domain builder in Xen 4.2 and earlier does not validate the
size of the kernel or ramdisk (1) before or (2) after decompression,
which allows local guest administrators to cause a denial of service
(domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.

The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in
Xen 2.2 allows local guest OS administrators to cause a denial of
service (Xen crash) via a crafted pirq value that triggers an
out-of-bounds read.

cmdmon.c in Chrony before 1.29 allows remote attackers to obtain
potentially sensitive information from stack memory via vectors
related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to
the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES
command to the handle_client_accesses function when client logging is
disabled, which causes uninitialized data to be included in a reply.

Multiple cross-site scripting (XSS) vulnerabilities in the
galleryformatter_field_formatter_view functiuon in
galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2
for Drupal allow remote authenticated users with permissions to create
a node or entity to inject arbitrary web script or HTML via the (1)
title or (2) alt parameter.

The (1) do_siocgstamp and (2) do_siocgstampns functions in
net/socket.c in the Linux kernel before 3.5.4 use an incorrect
argument order, which allows local users to obtain sensitive
information from kernel memory or cause a denial of service (system
crash) via a crafted ioctl call.

Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows
context-dependent attackers to bypass safe-level restrictions and
modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API
function, which marks the string as tainted, a different vulnerability
than CVE-2012-4466. NOTE: this issue might exist because of a
CVE-2011-1005 regression.

The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone
Essex before 2012.1.2 and Folsom before folsom-2 do not properly
validate X-Auth-Token, which allow remote attackers to read the roles
for an arbitrary user or get, create, or delete arbitrary services.

MySQL 5.0.88, and possibly other versions and platforms, allows local
users to bypass certain privilege checks by calling CREATE TABLE on a
MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY
arguments that are originally associated with pathnames without
symlinks, and that can point to tables created at a future time at
which a pathname is modified to contain a symlink to a subdirectory of
the MySQL data home directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of a CVE-2009-4030 regression, which was not omitted in other
packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux
6.

The virNetServerProgramDispatchCall function in libvirt before 0.10.2
allows remote attackers to cause a denial of service (NULL pointer
dereference and segmentation fault) via an RPC call with (1) an event
as the RPC number or (2) an RPC number whose value is in a "gap" in
the RPC dispatch table.

Multiple SQL injection vulnerabilities in the replication code in
Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62,
5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25,
allow remote authenticated users to execute arbitrary SQL commands via
vectors related to the binary log. NOTE: as of 20130116, Oracle has
not commented on claims from a downstream vendor that the fix in MySQL
5.5.29 is incomplete.

Multiple integer underflows in the icmLut_allocate function in
International Color Consortium (ICC) Format library (icclib), as used
in Ghostscript 9.06 and Argyll Color Management System, allow remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted (1) PostScript or (2) PDF file with
embedded images, which triggers a heap-based buffer overflow. NOTE:
this issue is also described as an array index error.

The Amazon Kindle Touch before 5.1.2 does not properly restrict access
to the libkindleplugin.so NPAPI plugin interface, which might allow
remote attackers to have an unspecified impact via vectors involving
the (1) dev.log, (2) lipc.set, (3) lipc.get, or (4) todo.scheduleItems
method, a different vulnerability than CVE-2012-4249.

Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x
before 12.01 on Mac OS X, allows user-assisted remote attackers to
trick users into downloading and executing arbitrary files via a small
window for the download dialog, a different vulnerability than
CVE-2012-1924.

Eucalyptus before 3.1.1 does not properly restrict the binding of
external SOAP web-services messages, which allows remote authenticated
users to bypass unspecified authorization checks and obtain direct
access to a (1) Cloud Controller or (2) Walrus service via a crafted
message, as demonstrated by changes to a volume, snapshot, or cloud
configuration setting.

Eucalyptus before 3.1.1 does not properly restrict the binding of
external SOAP web-services messages, which allows remote authenticated
users to gain privileges by sending a message to (1) Cloud Controller
or (2) Walrus with the internal message format and a modified user id.

Multiple unspecified vulnerabilities in Google Chrome OS before
21.0.1180.50 on the Cr-48 and Samsung Series 5 and 5 550 Chromebook
platforms, and the Samsung Chromebox Series 3, have unknown impact and
attack vectors.

Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla
Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before
2.12, allows remote attackers to execute arbitrary code or cause a
denial of service (memory corruption) via vectors related to the (1)
Silf::readClassMap and (2) Pass::readPass functions.

Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allow remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a negative height
value in a BMP image within a .ICO file, related to (1) improper
handling of the transparency bitmask by the nsICODecoder component and
(2) improper processing of the alpha channel by the nsBMPDecoder
component.

AirDroid 1.0.4 beta uses the MD5 algorithm for values in the
checklogin key parameter and 7bb cookie, which makes it easier for
remote attackers to obtain cleartext data by sniffing the local
wireless network and then conducting a (1) brute-force attack or (2)
rainbow-table attack.

Multiple integer underflows in Wireshark 1.4.x before 1.4.13 and 1.6.x
before 1.6.8 allow remote attackers to cause a denial of service
(loop) via vectors related to the R3 dissector, a different
vulnerability than CVE-2012-2392.

Multiple integer overflows in Wireshark 1.4.x before 1.4.13 and 1.6.x
before 1.6.8 allow remote attackers to cause a denial of service
(infinite loop) via vectors related to the (1) BACapp and (2)
Bluetooth HCI dissectors, a different vulnerability than
CVE-2012-2392.

Apple Xcode before 4.4 does not properly compose a designated
requirement (DR) during signing of programs that lack bundle
identifiers, which allows remote attackers to read keychain entries
via a crafted app, as demonstrated by the keychain entries of a (1)
helper tool or (2) command-line tool.

s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a
request was made for an XMPP Server Dialback response, which allows
remote XMPP servers to spoof domains via a (1) Verify Response or (2)
Authorization Response.

The Netlink implementation in the Linux kernel before 3.2.30 does not
properly handle messages that lack SCM_CREDENTIALS data, which might
allow local users to spoof Netlink communication via a crafted
message, as demonstrated by a message to (1) Avahi or (2)
NetworkManager.

The networkstatus_parse_vote_from_string function in routerparse.c in
Tor before 0.2.2.38 does not properly handle an invalid flavor name,
which allows remote attackers to cause a denial of service
(out-of-bounds read and daemon crash) via a crafted (1) vote document
or (2) consensus document.

Multiple race conditions in the madvise_remove function in
mm/madvise.c in the Linux kernel before 3.4.5 allow local users to
cause a denial of service (use-after-free and system crash) via
vectors involving a (1) munmap or (2) close system call.

Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial
of service (CPU and memory consumption) via (1) a large number of
headers or (2) a large number of forged headers that trigger hash
collisions predictably. bucket.

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp
module and (2) mod_proxy_http.c in the mod_proxy_http module in the
Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the
situations that require closing a back-end connection, which allows
remote attackers to obtain sensitive information in opportunistic
circumstances by reading a response that was intended for a different
client.

scripts/annotate-output.sh in devscripts before 2.12.2, as used in
rpmdevtools before 8.3, allows local users to modify arbitrary files
via a symlink attack on the temporary (1) standard output or (2)
standard error output file.

The xml_parse function in the libxml2 support in the core server
component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0
before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users
to determine the existence of arbitrary files or URLs, and possibly
obtain file or URL content that triggers a parsing error, via an XML
value that refers to (1) a DTD or (2) an entity, related to an XML
External Entity (aka XXE) issue.

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20,
8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not
properly restrict access to files and URLs, which allows remote
authenticated users to modify data, obtain sensitive information, or
trigger outbound traffic to arbitrary external hosts by leveraging (1)
stylesheet commands that are permitted by the libxslt security options
or (2) an xslt_process feature, related to an XML External Entity (aka
XXE) issue.

Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the
name of an appropriate (1) kernel module pathname or (2) executable
file pathname, which allows local users to gain privileges via an
execl system call.

Tunnelblick 3.3beta20 and earlier relies on a test for specific
ownership and permissions to determine whether a program can be safely
executed, which allows local users to bypass intended access
restrictions and gain privileges via a (1) user-mountable image or (2)
network share.

Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in
debug mode, allows remote NTLM servers to (1) cause a denial of
service (crash and delayed delivery of inbound mail) via a crafted
NTLM response that triggers an out-of-bounds read in the base64
decoder, or (2) obtain sensitive information from memory via an NTLM
Type 2 message with a crafted Target Name structure, which triggers an
out-of-bounds read.

The (1) django.http.HttpResponseRedirect and (2)
django.http.HttpResponsePermanentRedirect classes in Django before
1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect
target, which might allow remote attackers to conduct cross-site
scripting (XSS) attacks via a data: URL.

The rds_recvmsg function in net/rds/recv.c in the Linux kernel before
3.0.44 does not initialize a certain structure member, which allows
local users to obtain potentially sensitive information from kernel
stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS
socket.

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before
Folsom-1 and OpenStack Essex, does not properly implement token
expiration, which allows remote authenticated users to bypass intended
authorization restrictions by (1) creating new tokens through token
chaining, (2) leveraging possession of a token for a disabled user
account, or (3) leveraging possession of a token for an account with a
changed password.

libpcp in Performance Co-Pilot (PCP) before 3.6.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via (1) a PDU with the numcreds field value greater than the
number of actual elements to the __pmDecodeCreds function in
p_creds.c; (2) the string byte number value to the __pmDecodeNameList
function in p_pmns.c; (3) the numids value to the __pmDecodeIDList
function in p_pmns.c; (4) unspecified vectors to the __pmDecodeProfile
function in p_profile.c; the (5) status number value or (6) string
number value to the __pmDecodeNameList function in p_pmns.c; (7)
certain input to the __pmDecodeResult function in p_result.c; (8) the
name length field (namelen) to the DecodeNameReq function in p_pmns.c;
(9) a crafted PDU_FETCH request to the __pmDecodeFetch function in
p_fetch.c; (10) the namelen field in the __pmDecodeInstanceReq
function in p_instance.c; (11) the buflen field to the __pmDecodeText
function in p_text.c; (12) PDU_INSTANCE packets to the
__pmDecodeInstance in p_instance.c; or the (13) c_numpmid or (14)
v_numval fields to the __pmDecodeLogControl function in p_lcontrol.c,
which triggers integer overflows, heap-based buffer overflows, and/or
buffer over-reads.

Multiple stack-based buffer overflows in the Near Field Communication
Controller Interface (NCI) in the Linux kernel before 3.4.5 allow
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via incoming frames with crafted length fields.

WebNavigator in Siemens WinCC 7.0 SP3 and earlier, as used in SIMATIC
PCS7 and other products, stores sensitive information under the web
root with insufficient access control, which allows remote attackers
to read a (1) log file or (2) configuration file via a direct request.

The Innominate mGuard Smart HW before HW-101130 and BD before
BD-101030, mGuard industrial RS, mGuard delta HW before HW-103060 and
BD before BD-211010, mGuard PCI, mGuard blade, and EAGLE mGuard
appliances with software before 7.5.0 do not use a sufficient source
of entropy for private keys, which makes it easier for
man-in-the-middle attackers to spoof (1) HTTPS or (2) SSH servers by
predicting a key value.

Multiple untrusted search path vulnerabilities in RealFlex RealWin
before 2.1.13, FlexView before 3.1.86, and RealWinDemo before 2.1.13
allow local users to gain privileges via a Trojan horse (1)
realwin.dll or (2) keyhook.dll file in the current working directory.

Multiple cross-site request forgery (CSRF) vulnerabilities in the web
interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers
to hijack the authentication of administrators for requests that (1)
add a user account or (2) reconfigure the state of the FTP service, as
demonstrated by a request to usermanager/users/modify.

Microsoft Windows Phone 7 does not verify the domain name in the
subject's Common Name (CN) field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL server for the (1) POP3,
(2) IMAP, or (3) SMTP protocol via an arbitrary valid certificate.

The MASetupCaller ActiveX control before 1.4.2012.508 in
MASetupCaller.dll in MarkAny ContentSAFER, as distributed in Samsung
KIES before 2.3.2.12074_13_13, does not properly implement unspecified
methods, which allows remote attackers to download an arbitrary
program onto a client machine, and execute this program, via a crafted
HTML document.

The PDF functionality in Google Chrome before 22.0.1229.79 allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger out-of-bounds write
operations.

libxslt 1.1.26 and earlier, as used in Google Chrome before
21.0.1180.89, does not properly manage memory, which might allow
remote attackers to cause a denial of service (application crash) via
a crafted XSLT expression that is not properly identified during XPath
navigation, related to (1) the xsltCompileLocationPathPattern function
in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in
libxslt/functions.c.

The PDF functionality in Google Chrome before 21.0.1180.75 allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger out-of-bounds write
operations.

The PDF functionality in Google Chrome before 21.0.1180.57 on Mac OS X
and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger out-of-bounds write
operations.

Multiple integer overflows in the PDF functionality in Google Chrome
before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on
Windows and Chrome Frame, allow remote attackers to cause a denial of
service or possibly have unspecified other impact via a crafted
document.

Multiple unspecified vulnerabilities in the PDF functionality in
Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before
21.0.1180.60 on Windows and Chrome Frame, allow remote attackers to
have an unknown impact via a crafted document.

Multiple integer overflows in the PDF functionality in Google Chrome
before 20.0.1132.43 allow remote attackers to cause a denial of
service or possibly have unspecified other impact via a crafted
document.

Multiple integer overflows in libxml2, as used in Google Chrome before
20.0.1132.43 and other products, on 64-bit Linux platforms allow
remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors.

Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in
FFmpeg before 0.11 have unknown impact and attack vectors related to
(1) size of "mclms arrays," (2) "a get_bits(0) in decode_ac_filter,"
and (3) "too many bits in decode_channel_residues()."

Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in
FFmpeg before 0.11 have unknown impact and attack vectors, related to
(1) "some subframes only encode some channels" or (2) a large order
value.

Multiple cross-site request forgery (CSRF) vulnerabilities in the Node
Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote
attackers to hijack the authentication of administrators for requests
that change a node hierarchy position via an (1) up or (2) down
action.

The default views in the Organic Groups (OG) module 6.x-2.x before
6.x-2.4 for Drupal do not properly check permissions when all users
have the "access content" permission removed, which allows remote
attackers to bypass access restrictions and possibly have other
unspecified impact.

Multiple cross-site scripting (XSS) vulnerabilities in the Mobile
Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers
to inject arbitrary web script or HTML via the (1) Mobile URL field or
(2) Desktop URL field to the General configuration page, or the (3)
message to the Mobile Tools block message options.

Multiple cross-site scripting (XSS) vulnerabilities in the
make_variant_list function in mod_negotiation.c in the mod_negotiation
module in the Apache HTTP Server 2.4.x before 2.4.3, when the
MultiViews option is enabled, allow remote attackers to inject
arbitrary web script or HTML via a crafted filename that is not
properly handled during construction of a variant list.

Multiple integer overflows in the (1) CallMalloc (malloc) and (2)
nedpcalloc (calloc) functions in nedmalloc (nedmalloc.c) before 1.10
beta2 make it easier for context-dependent attackers to perform
memory-related attacks such as buffer overflows via a large size
value, which causes less memory to be allocated than expected.

Multiple integer overflows in the (1) chk_malloc, (2) leak_malloc, and
(3) leak_memalign functions in libc/bionic/malloc_debug_leak.c in
Bionic (libc) for Android, when libc.debug.malloc is set, make it
easier for context-dependent attackers to perform memory-related
attacks such as buffer overflows via a large size value, which causes
less memory to be allocated than expected.

manageuser.php in Collabtive before 0.7.6 allows remote authenticated
users, and possibly unauthenticated attackers, to bypass intended
access restrictions and upload and execute arbitrary files by
uploading an avatar file with an accepted Content-Type such as
image/jpeg, then accessing it via a direct request to the file in
files/standard/avatar.

PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before
9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to
cause a denial of service (server crash) by adding the (1) SECURITY
DEFINER or (2) SET attributes to a procedural language's call handler.

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom
(2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check
the protocol when security groups are created and the network protocol
is not specified entirely in lowercase, which allows remote attackers
to bypass intended access restrictions.

The PyGrub boot loader in Xen unstable before changeset
25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized
guest users to cause a denial of service (memory consumption) via a
large (1) bzip2 or (2) lzma compressed kernel image.

Multiple cross-site scripting (XSS) vulnerabilities in Mailtraq
2.17.3.3150 allow remote attackers to inject arbitrary web script or
HTML via an e-mail message subject with (1) a JavaScript alert
function used in conjunction with the fromCharCode method or (2) a
SCRIPT element; an e-mail message body with (3) a crafted SRC
attribute of an IFRAME element, (4) a data: URL in the CONTENT
attribute of an HTTP-EQUIV="refresh" META element, or (5) a Cascading
Style Sheets (CSS) expression property in the STYLE attribute of an
IMG element; or an e-mail message Date header with (6) a JavaScript
alert function used in conjunction with the fromCharCode method, (7) a
SCRIPT element, (8) a CSS expression property in the STYLE attribute
of an arbitrary element, (9) a crafted SRC attribute of an IFRAME
element, or (10) a data: URL in the CONTENT attribute of an
HTTP-EQUIV="refresh" META element.

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket
Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before
3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5,
3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to
inject arbitrary web script or HTML via an e-mail message body with
(1) a Cascading Style Sheets (CSS) expression property in the STYLE
attribute of an arbitrary element or (2) UTF-7 text in an
HTTP-EQUIV="CONTENT-TYPE" META element.

The HostScan downloader implementation in Cisco AnyConnect Secure
Mobility Client 3.x before 3.0 MR8 and Cisco Secure Desktop before
3.6.6020 does not compare the timestamp of offered software to the
timestamp of installed software, which allows remote attackers to
force a version downgrade by using (1) ActiveX or (2) Java components
to offer signed code that corresponds to an older software release,
aka Bug ID CSCtx74235.

The VPN downloader implementation in the WebLaunch feature in Cisco
AnyConnect Secure Mobility Client 2.x before 2.5 MR6 and 3.x before
3.0 MR8 does not compare the timestamp of offered software to the
timestamp of installed software, which allows remote attackers to
force a version downgrade by using (1) ActiveX or (2) Java components
to offer signed code that corresponds to an older software release,
aka Bug ID CSCtw48681.

RuggedCom Rugged Operating System (ROS) before 3.3 has a factory
account with a password derived from the MAC Address field in a
banner, which makes it easier for remote attackers to obtain access by
performing a calculation on this address value, and then establishing
a (1) SSH or (2) HTTPS session, a different vulnerability than
CVE-2012-1803.

ar web content manager (AWCM) 2.2 does not restrict the number of
comment records that can be submitted through HTTP requests, which
allows remote attackers to cause a denial of service (disk
consumption) via the coment parameter to (1) show_video.php or (2)
topic.php.

Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS
before 1.2.2 allow remote attackers to inject arbitrary web script or
HTML via (1) an arbitrary parameter in a move or (2) minimize action
to admin/admin_index.php; (3) the karma_username parameter to
module.php in the karma module; (4) q_1_low, (5) q_1_high, (6)
q_2_low, or (7) q_2_high parameter in a configure action to module.php
in the captcha module; or (8) the edit parameter to module.php in the
admin_language module.

The intu-help-qb (aka Intuit Help System Async Pluggable Protocol)
handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009
through 2012, when Internet Explorer is used, might allow remote
attackers to obtain sensitive information via a URI with a % (percent)
character as its (1) last or (2) second-to-last character, in
situations where a certain "post-URL data" buffer contains a 0x0000
character but a buffer overflow does not occur.

Heap-based buffer overflow in the intu-help-qb (aka Intuit Help System
Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll
in Intuit QuickBooks 2009 through 2012, when Internet Explorer is
used, allows remote attackers to cause a denial of service (memory
corruption) or possibly execute arbitrary code via a URI with a %
(percent) character as its (1) last or (2) second-to-last character.

main/manager.c in the Manager Interface in Asterisk Open Source
1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1
and Asterisk Business Edition C.3.x before C.3.7.4 does not properly
enforce System class authorization requirements, which allows remote
authenticated users to execute arbitrary commands via (1) the
originate action in the MixMonitor application, (2) the SHELL and EVAL
functions in the GetVar manager action, or (3) the SHELL and EVAL
functions in the Status manager action.

Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and
Itanium platforms does not properly perform data alignment for a
certain structure member, which allows remote attackers to cause a
denial of service (application crash) via a (1) ICMP or (2) ICMPv6
Echo Request packet.

Multiple integer overflows in the read_bitmap_file_data function in
io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a
denial of service (application crash) via a negative (1) height or (2)
width in an XBM file, which triggers a heap-based buffer overflow.

Multiple buffer overflows in the hfsplus filesystem implementation in
the Linux kernel before 3.3.5 allow local users to gain privileges via
a crafted HFS plus filesystem, a related issue to CVE-2009-4020.

The IRM Server in EMC Documentum Information Rights Management 4.x
before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to
cause a denial of service (NULL pointer dereference and daemon crash)
via input data that (1) lacks FIPS fields or (2) has an invalid
version number.

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before
3.0.3 allow remote attackers to inject arbitrary web script or HTML
via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the
parameter parameter to apps/contacts/ajax/addproperty.php, (3) the
name parameter to apps/contacts/ajax/createaddressbook, (4) the file
parameter to files/download.php, or the (5) name, (6) user, or (7)
redirect_url parameter to files/index.php.

scripts/dget.pl in devscripts before 2.10.73 allows remote attackers
to execute arbitrary commands via a crafted (1) .dsc or (2) .changes
file, related to "arguments to external commands" that are not
properly escaped, a different vulnerability than CVE-2012-2240.

Multiple stack-based buffer overflows in a certain ActiveX control in
qp2.cab in IBM Lotus Quickr 8.2 before 8.2.0.27-002a for Domino allow
remote attackers to execute arbitrary code via a long argument to the
(1) Attachment_Times or (2) Import_Times method.

Multiple integer signedness errors in crypto/buffer/buffer.c in
OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow
attacks, and cause a denial of service (memory corruption) or possibly
have unspecified other impact, via crafted DER data, as demonstrated
by an X.509 certificate or an RSA public key. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2012-2110.

Multiple buffer overflows in FlightGear 2.6 and earlier and SimGear
2.6 and earlier allow user-assisted remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a (1) long
string in a rotor tag of an aircraft xml model to the
Rotor::getValueforFGSet function in src/FDM/YASim/Rotor.cpp or (2) a
crafted UDP packet to the SGSocketUDP::read function in
simgear/simgear/simgear/io/sg_socket_udp.cxx.

Redmine before 1.3.2 does not properly restrict the use of a hash to
provide values for a model's attributes, which allows remote attackers
to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
(4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
modified URL, related to a "mass assignment" vulnerability, a
different vulnerability than CVE-2012-0327.

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on
Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236
on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before
11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows
attackers to execute arbitrary code or cause a denial of service (NULL
pointer dereference) via unspecified vectors.

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x
before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x,
2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with
agent SSL keys to (1) cause a denial of service (memory consumption)
via a REST request to a stream that triggers a thread block, as
demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a
denial of service (filesystem consumption) via crafted REST requests
that use "a marshaled form of a Puppet::FileBucket::File object" to
write to arbitrary file locations.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before
2.12 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via vectors related to garbage collection after certain MethodJIT
execution, and unknown other vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before
2.10 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the
JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and
unknown other components.

Opera before 11.62 allows remote attackers to bypass the Same Origin
Policy via the (1) history.pushState and (2) history.replaceState
functions in conjunction with cross-domain frames, leading to
unintended read access to history.state information.

Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS
0.75 and earlier allow remote attackers to hijack the authentication
of administrators for requests that (1) delete users via the user id
number to admin/user/delete; (2) delete pages via the page id number
to admin/page/delete; delete the (3) images or (4) themes directory
via the directory name to admin/plugin/file_manager/delete, and
possibly other directories; or (5) logout the user via a request to
admin/login/logout.

Multiple directory traversal vulnerabilities in the Get Template
feature in plugins/gui.ajax/class.AJXP_ClientDriver.php in AjaXplorer
3.2.x before 3.2.5 and 4.0.x before 4.0.4 allow remote attackers to
include and execute arbitrary local files via a .. (dot dot) in the
(1) pluginName or (2) pluginPath parameter in a get_template action.
NOTE: some of these details are obtained from third party information.

Multiple cross-site scripting (XSS) vulnerabilities in the status
program on the ForeScout CounterACT appliance with software 6.3.3.2
through 6.3.4.10 allow remote attackers to inject arbitrary web script
or HTML via (1) the loginname parameter in a forgotpass action or (2)
the username parameter.

RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a
factory account with a password derived from the MAC Address field in
the banner, which makes it easier for remote attackers to obtain
access by performing a calculation on this address value, and then
establishing a (1) TELNET, (2) remote shell (aka rsh), or (3)
serial-console session.

The TNS Listener, as used in Oracle Database 11g 11.1.0.7, 11.2.0.2,
and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, as used in
Oracle Fusion Middleware, Enterprise Manager, E-Business Suite, and
possibly other products, allows remote attackers to execute arbitrary
database commands by performing a remote registration of a database
(1) instance or (2) service name that already exists, then conducting
a man-in-the-middle (MITM) attack to hijack database connections, aka
"TNS Poison."

Multiple cross-site scripting (XSS) vulnerabilities in the "stand
alone PHP application for the OSM Player," as used in the MediaFront
module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal,
allow remote attackers to inject arbitrary web script or HTML via (1)
$_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to
players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to
players/osmplayer/player/getplaylist.php, and possibly other vectors
related to $_SESSION.

Directory traversal vulnerability in combine.php in OSClass before
2.3.6 allows remote attackers to read and write arbitrary files via a
.. (dot dot) in the type parameter. NOTE: this vulnerability can be
leveraged to upload arbitrary files.

Multiple cross-site scripting (XSS) vulnerabilities in functions.php
in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary
web script or HTML via the (1) name or (2) type of a function.

Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9
allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to an object that (1) was not properly
initialized or (2) is deleted, aka "OnMove Use After Free
Vulnerability."

Microsoft Internet Explorer 6 and 7 does not properly handle objects
in memory, which allows remote attackers to execute arbitrary code by
accessing an object that (1) was not initialized or (2) is deleted,
aka "Layout Memory Corruption Vulnerability."

Multiple directory traversal vulnerabilities in the iBrowser plugin
library, as used in Open Journal Systems before 2.3.7, allow remote
authenticated users to (1) delete or (2) rename arbitrary files via a
.. (dot dot) in the param parameter to
lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php.

Multiple cross-site request forgery (CSRF) vulnerabilities in
admin.php in PBBoard 2.1.4 allow remote attackers to hijack the
authentication of administrators for requests that (1) upload a file
via an add action or (2) change the contents of a file via a dit
action.

Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow
remote attackers to execute arbitrary code via a crafted tile size in
a TIFF file, which is not properly handled by the (1) gtTileSeparate
or (2) gtStripSeparate function, leading to a heap-based buffer
overflow.

The regset (aka register set) feature in the Linux kernel before
3.2.10 does not properly handle the absence of .get and .set methods,
which allows local users to cause a denial of service (NULL pointer
dereference) or possibly have unspecified other impact via a (1)
PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call.

Multiple cross-site scripting (XSS) vulnerabilities in
revisioning_theme.inc in the Taxonomy module in the Revisioning module
6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote
authenticated users with certain privileges to inject arbitrary web
script or HTML via the (1) tags or (2) term parameters.

The change_user method in the SUIDManager
(lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and
2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x,
2.0.x before 2.0.3 does not properly manage group privileges, which
allows local users to gain privileges via vectors related to (1) the
change_user not dropping supplementary groups in certain conditions,
(2) changes to the eguid without associated changes to the egid, or
(3) the addition of the real gid to supplementary groups.

Cross-site scripting (XSS) vulnerability in admin/EditForm in
SilverStripe 2.4.6 allows remote authenticated users with Content
Authors privileges to inject arbitrary web script or HTML via the
Title parameter. NOTE: some of these details are obtained from third
party information.

DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu
12.04 LTS, 11.10, and 11.04, uses weak permissions for (1)
apt-clone_system_state.tar.gz and (2) system_state.tar.gz, which
allows local users to obtain repository credentials.

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and
earlier allow remote authenticated users with certain permissions to
execute arbitrary SQL commands via the root_node parameter in the
display_children function to (1) getrequirementnodes.php or (2)
gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an
edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an
edit action or (5) plan_id parameter in a create action to
lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6)
reqImport.php or (7) in a create action to reqEdit.php in
lib/requirements/. NOTE: some of these details are obtained from third
party information.

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote
attackers to execute arbitrary PHP code via a crafted serialized
object in the (1) cookieName to lib/banners/bannerlib.php; (2)
printpages or (3) printstructures parameter to (a)
tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4)
sendpages, (5) sendstructures, or (6) sendarticles parameter to
tiki-send_objects.php, which is not properly handled when processed by
the unserialize function.

chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x
before 10.0.1, when the res_srtp module is used and media support is
improperly configured, allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a crafted SDP
message with a crypto attribute and a (1) video or (2) text media
type, as demonstrated by CSipSimple.

Multiple buffer overflows in the get_qcx function in the J2K decoder
(j2kdec.c) in libavcode in FFmpeg before 0.9.1 allow remote attackers
to cause a denial of service (application crash) via unspecified
vectors.

VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers
to cause a denial of service (application crash) via (1) unspecified
"corrupt input" or (2) by "starting decoding from a P-frame," which
triggers an out-of-bounds read, related to "the clamping of motion
vectors in SPLITMV blocks".

Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4,
as used in Keystone, allow remote attackers to execute arbitrary SQL
commands via the (1) limit or (2) offset keyword to the select
function, or unspecified vectors to the (3) select.limit or (4)
select.offset function.

class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x
before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x
before 2.2.1 and other products, allows remote authenticated users to
inject arbitrary e-mail headers via vectors involving a crafted (1)
From: or (2) Sender: header.

The clone_file function in transfer.c in Augeas before 1.0.0, when
copy_if_rename_fails is set and EXDEV or EBUSY is returned by the
rename function, allows local users to overwrite arbitrary files and
obtain sensitive information via a bind mount on the (1) .augsave or
(2) destination file when using the backup save option, or (3) .augnew
file when using the newfile save option.

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6,
and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is
enabled, does not properly validate the X-Forwarded-For HTTP header,
which allows remote attackers to bypass the lockout policy via a
series of authentication requests with (1) different IP address
strings in this header or (2) a long string in this header.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before
10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird
ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote
attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown
vectors.

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18
and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.

The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security
Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0,
Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0,
Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows
remote attackers to cause a denial of service (application crash) via
a zero-length item, as demonstrated by (1) a zero-length basic
constraint or (2) a zero-length field in an OCSP response.

An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0
before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to
execute arbitrary code via (1) a pointer argument to the SetEngine
method or (2) an XPItem pointer argument to an unspecified method.

yast2-add-on-creator in SUSE inst-source-utils 2008.11.26 before
2008.11.26-0.9.1 and 2012.9.13 before 2012.9.13-0.8.1 allows local
users to gain privileges via a crafted (1) file name or (2) directory
name.

The DPA_Utilities.cProcessAuthenticationData function in EMC Data
Protection Advisor (DPA) 5.5 through 5.8 SP1 allows remote attackers
to cause a denial of service (NULL pointer dereference and daemon
crash) via an AUTHENTICATECONNECTION command that (1) lacks a password
field or (2) has an empty password.

The IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0
through 15.2 and IOS XE 2.1.x through 2.6.x and 3.1.xS through 3.4.xS
before 3.4.2S, 3.5.xS before 3.5.1S, and 3.2.xSG before 3.2.2SG allows
remote attackers to cause a denial of service (device reload) by
sending IKE UDP packets over (1) IPv4 or (2) IPv6, aka Bug ID
CSCts38429.

The sccp-protocol component in Cisco IP Communicator (CIPC) 7.0
through 8.6 does not limit the rate of SCCP messages to Cisco Unified
Communications Manager (CUCM), which allows remote attackers to cause
a denial of service via vectors that trigger (1) on hook and (2) off
hook messages, as demonstrated by a Plantronics headset, aka Bug ID
CSCti40315.

The UDP inspection engine on Cisco Adaptive Security Appliances (ASA)
5500 series devices, and the ASA Services Module (ASASM) in Cisco
Catalyst 6500 series devices, with software 8.0 before 8.0(5.25), 8.1
before 8.1(2.50), 8.2 before 8.2(5.5), 8.3 before 8.3(2.22), 8.4
before 8.4(2.1), and 8.5 before 8.5(1.2) does not properly handle
flows, which allows remote attackers to cause a denial of service
(device reload) via a crafted series of (1) IPv4 or (2) IPv6 UDP
packets, aka Bug ID CSCtq10441.

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13
allows remote attackers to take control of sessions via unspecified
vectors related to the (1) commenting feature and (2) community
script.

Multiple stack-based buffer overflows in MinaliC 2.0.0 allow remote
attackers to execute arbitrary code via a (1) session_id cookie in a
request to the get_cookie_value function in response.c, (2) directory
name in a request to the add_default_file function in response.c, or
(3) file name in a request to the retrieve_physical_file_name_or_brows
function in response.c.

Multiple stack-based buffer overflows in the NTR ActiveX control
before 2.0.4.8 allow remote attackers to execute arbitrary code via
(1) a long bstrUrl parameter to the StartModule method, (2) a long
bstrParams parameter to the Check method, a long bstrUrl parameter to
the (3) Download or (4) DownloadModule method during construction of a
.ntr pathname, or a long bstrUrl parameter to the (5) Download or (6)
DownloadModule method during construction of a URL.

monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows
remote authenticated users to obtain sensitive information such as
database and user credentials via error messages that are triggered by
(1) a malformed hoststatustypes parameter to status/service/all or (2)
a crafted request to config.

model/modelstorage.py in the Tryton application framework (trytond)
before 2.4.0 for Python does not properly restrict access to the
Many2Many field in the relation model, which allows remote
authenticated users to modify the privileges of arbitrary users via a
(1) create, (2) write, (3) delete, or (4) copy rpc call.

curl and libcurl 7.2x before 7.24.0 do not properly consider special
characters during extraction of a pathname from a URL, which allows
remote attackers to conduct data-injection attacks via a crafted URL,
as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3,
or (3) SMTP protocol.

The TeraRecon server, as used in GE Healthcare Centricity PACS-IW
3.7.3.7, 3.7.3.8, and possibly other versions, has a password of (1)
shared for the shared user and (2) scan for the scan user, which has
unspecified impact and attack vectors. NOTE: it is not clear whether
this password is default, hardcoded, or dependent on another system or
product that requires a fixed value.

GE Healthcare Centricity Analytics Server 1.1 has a default password
of (1) V0yag3r for the SQL Server sa user, (2) G3car3s for the analyst
user, (3) G3car3s for the ccg user, (4) V0yag3r for the viewer user,
and (5) geservice for the geservice user in the Webmin interface,
which has unspecified impact and attack vectors.